Meta hit with major fine over password storage

In this photo illustration, the Meta Platforms, Inc. logo is displayed on a smartphone screen.
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Meta has been fined €91 million for incorrectly storing social media account passwords in unencrypted databases.

Meta notified the Irish Data Protection Commission it had unintentionally stored the passwords in plain text within its internal systems.

Following an inquiry in April 2019, the Irish Data Protection Commission (DPC) found that Meta had violated General Data Protection Regulation four times, and has issued the fine along with a warning for the company to improve its security structures.

Not the first time

Storing passwords in plain text is frowned upon for obvious reasons, especially as it makes them vulnerable to attackers if a data breach occurs.

This isn’t the first time the company has been fined for violating GDPR. In January 2023, Meta was hit by a €390 million fine by the DPC for serving personalized ads without the option to opt-out and its data handling practices.

Then in May 2023, Meta was fined the highest possible GDPR fine of €1.2 billion for transferring data from the EU to the US outside of GDPR guidelines. EU data remains protected by GDPR even when moved outside of the EU.

Meta was also fined €265 million by the DPC in 2022 after data that had been scraped from Facebook was leaked on a hacking forum. The leak contained the data of 533 million people across 106 countries.

Speaking on Meta’s most recent fine, DPC deputy commissioner Graham Doyle said, “It is widely accepted that user passwords should not be stored in 'plaintext' considering the risks of abuse that arise from persons accessing such data.”

"It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle concluded.

Via BBC

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.