Meta hit with major fine over password storage

Meta stored passwords in plaintext, and is paying the price

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Meta has been fined €91 million for incorrectly storing social media accountpasswordsin unencrypted databases.

Meta notified the Irish Data Protection Commission it had unintentionally stored the passwords in plain text within its internal systems.

Following an inquiry in April 2019, the Irish Data Protection Commission (DPC) found that Meta had violated General Data Protection Regulation four times, and has issued the fine along with a warning for the company to improve its security structures.

Not the first time

Storing passwords in plain text is frowned upon for obvious reasons, especially as it makes them vulnerable to attackers if a data breach occurs.

This isn’t the first time the company has been fined for violating GDPR. In January 2023,Meta was hit by a €390 million fine by the DPCfor serving personalized ads without the option to opt-out and its data handling practices.

Then in May 2023, Meta was fined the highest possible GDPR fine of €1.2 billion for transferring data from the EU to the US outside of GDPR guidelines. EU data remains protected by GDPR even when moved outside of the EU.

Meta was also fined €265 million by the DPC in 2022 after data that had been scraped from Facebook was leaked on a hacking forum. The leak contained the data of 533 million people across 106 countries.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Speaking on Meta’s most recent fine, DPC deputy commissioner Graham Doyle said, “It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data.”

“It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle concluded.

ViaBBC

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days

A new form of macOS malware is being used by devious North Korean hackers

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case