Meta, the parent company of Facebook and Instagram, has been hit with a $101.5 million fine by Ireland’s Data Protection Commission (DPC) following a five-year investigation. The probe uncovered that Meta had stored over 600 million user passwords in plain text, leaving them vulnerable to internal access for more than a decade. This security lapse, which dates back to 2019, violated the European Union’s strict General Data Protection Regulation (GDPR), dealing another significant blow to Meta’s already troubled privacy record.
The issue first came to light in 2019 when Facebook, now Meta, admitted that “hundreds of millions” of user passwords were being stored in plain text, without any encryption. Internally, these passwords were accessible to engineers, with Meta confirming that around 2,000 employees had made over 9 million queries to this database. While the passwords were not exposed to external entities, the sheer number of people who could access such sensitive data raised alarms over Meta’s internal security practices.
The DPC’s investigation into this breach began soon after the issue was disclosed, culminating in the recent fine. The investigation revealed that Meta had delayed notifying authorities about the breach, only doing so months after it was first discovered internally. This delay in reporting was one of the key factors contributing to the penalty.
GDPR Violations and Their Consequences
The fine was imposed under the GDPR, a regulation introduced by the European Union in 2018 to safeguard user data. Companies are required by the GDPR to implement robust privacy measures and to promptly report any data breaches. In Meta’s case, the company was found to have violated four sections of the regulation, one of which was the delayed notification of the breach to the DPC. Even though Meta eventually reported the issue, the long delay was deemed unacceptable.
Deputy Commissioner of the DPC, Graham Doyle, highlighted the severity of storing passwords in plain text, stating, “It is widely accepted that user passwords should not be stored in plain text, considering the risks of abuse.” He emphasized that these passwords were particularly sensitive, as they could have allowed unauthorized access to users’ social media accounts.
Who Was Affected by the Breach?
The full details of the DPC’s ruling are yet to be made public, leaving uncertainty around exactly which users were impacted. It is still unclear whether the breach included U.S. users or was confined to users in Ireland and the European Union. However, evidence suggests that the issue primarily affected non-U.S. users.
In 2019, Facebook stated that most of the compromised plain text passwords were associated with Facebook Lite, a stripped-down version of the social media platform designed for regions with slower internet connectivity. This indicates that the majority of the affected users were likely located in countries where Facebook Lite was widely used. Further details about the scope of affected users in Ireland and other parts of the European Union have yet to be disclosed.
In a separate case, Meta is appealing a 2023 DPC ruling that involves a $1.3 billion fine for violating data protection laws related to the transfer of user data between the EU and the U.S. This suggests that U.S. user data might have been compromised in other breaches. However, in the case of the plain text password storage, it seems the focus remains on non-U.S. users.
This incident adds to Meta’s long-standing track record of privacy and security issues. Even before the plain text password breach came to light, the company was embroiled in multiple privacy controversies. One of the most infamous cases involved Cambridge Analytica, where Facebook was found to have shared user data improperly with the political consulting firm, which used it to influence elections.
At the same time, Facebook was also under federal investigation for its data-sharing practices with third-party companies. These scandals, coupled with the plain text password breach, have significantly damaged Meta’s reputation and led to a series of legal challenges and hefty financial penalties.
One key question that remains unanswered is how Meta has improved its internal security measures since the breach. The unencrypted passwords had been stored in plain text for many years, dating back to 2012. Given the severity of the issue, many are wondering how the company has revamped its security infrastructure to prevent similar breaches in the future.
Meta has not provided detailed information about the steps it has taken to address these flaws. However, given the substantial fines and regulatory pressure, it is expected that Meta has made efforts to enhance its data security. The DPC’s ruling and the significant penalty may serve as a wake-up call for Meta to adopt stricter security protocols and ensure greater transparency in its data handling processes.
Meta’s $101.5 million fine for storing 600 million Facebook and Instagram passwords in plain text underscores the critical importance of data security. The company’s failure to properly encrypt passwords and its slow response in notifying authorities of the breach were clear violations of GDPR regulations. While the full extent of the breach remains unclear, this incident is yet another stain on Meta’s reputation, following years of privacy scandals. As Meta faces increasing scrutiny from regulators, it will need to take meaningful steps to rebuild trust and ensure the protection of user data going forward.