Meta fined $145 million for storing hundreds of millions of passwords in plain text

On September 27, 2024, the Irish Data Protection Commission (DPC), which was investigating Meta for storing hundreds of millions of passwords unencrypted on its servers, announced that it would impose a fine of 91 million euros (approximately 14.5 billion yen) on the company.

Irish Data Protection Commission fines Meta Ireland €91 million | 27/09/2024 | Data Protection Commission

The issue first came to light in 2019 when security researcher Brian Krebs reported that the passwords of hundreds of millions of Facebook users were stored in plain text on a server belonging to Meta, then known as Facebook, and were available for thousands of Facebook employees to search.

Facebook reveals it stores hundreds of millions of passwords unencrypted on its servers - GIGAZINE

Meta did not disclose the exact number of affected users, but reported that it plans to notify 'hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and millions of Instagram users' about the password issue.

After investigating the matter for about five years, the DPC announced on September 27, 2024 that it would impose a warning and a fine of €91 million on Meta's Irish subsidiary, Meta Platforms Ireland Limited (MPIL).

Since the 1990s, it has been common practice in industries that handle user data to cryptographically hash passwords. Hashing refers to running passwords through a one-way cryptographic algorithm that assigns a unique long string to each plaintext input. This best practice has been mandated by law and regulation in many jurisdictions in recent years.

Despite this, authorities' investigations have found that Meta did not handle users' passwords securely.

'It is widely accepted that passwords should not be stored in plain text given the risk of misuse if user data is accessed,' DPC deputy chair Graham Doyle said in a statement. 'It is particularly important to note that the passwords investigated in this case were particularly sensitive, as they enabled access to users' social media accounts.'

The DPC noted that Meta had violated Article 33 of the EU General Data Protection Regulation (GDPR), which requires companies to report data breaches to the DPC, and Article 32, which requires companies to take measures to ensure the confidentiality of passwords.

In response to the announcement, a Meta spokesperson said, 'We took immediate corrective action after identifying this error during a security review in 2019, and there is no evidence that passwords were misused or inappropriately accessed.'

The DPC plans to publish details of its findings on this matter at a later date.