Pierluigi Paganini September 28, 2024

The Irish Data Protection Commission (DPC) fined Meta €91 million for storing the passwords of hundreds of millions of users in plaintext.

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing the passwords of hundreds of millions of users in plaintext, violating data protection regulations.

In 2019, Meta disclosed that it had inadvertently stored some users’ passwords in plaintext on its internal systems, without encrypting them.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.” reported Meta. “We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

The company pointed out that these passwords were only visible to people inside of Facebook and found no evidence that anyone internally abused or improperly accessed them. 

Meta estimated that the incident impacted hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.

Facebook Lite is a simplified version of Facebook primarily used in regions with limited internet connectivity.

The social media giant reported the incident to the Irish Data Protection Commission (DPC), which launched an investigation into the company’s data storage practices in April 2019.

“The Data Protection Commission (DPC) has today announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL). This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).” reads DPC’s statement.

“The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities. The decision, which was made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, and notified to MPIL yesterday September 26, includes a reprimand and a fine of €91million.”

The Irish Data Protection Commission (DPC) stated that it will release its full decision and additional details about the incident at a later date.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.” said Deputy Commissioner at the DPC, Graham Doyle.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)