The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for inadvertently storing hundreds of millions of user passwords internally in plaintext.
It has also issued the company a reprimand over the matter.
In March 2019, Meta notified the DPC that it had incorrectly stored certain Facebook user passwords in plaintext on its internal systems, i.e., without cryptographic protection or encryption. It also publicly acknowledged the incident at the time.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Meta disclosed in a news release in March 2019.
While the company did not reveal how many users were impacted by the issue, it estimated that it would notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users,” and “millions of Instagram users.”
Back then, Meta said they found no evidence that the passwords were made available to external parties and were not internally abused or improperly accessed.
“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Graham Doyle, Deputy Commissioner at the DPC, said in a statement.
Reacting to the DPC fine, Meta said in a statement shared with the Associated Press , “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
