Meta was fined €91.5 million by the Irish Data Protection Commission (DPC) following the completion of an investigation into a security breach in 2019. The company announced in January of that year that it had noticed that some user passwords were stored in plain text format. However, with the update made a month later, it was revealed that the passwords of millions of Instagram users were also stored in an easily readable format.
While Meta did not clearly state how many accounts were affected, a senior employee at the time told Krebs on Security that the incident involved approximately 600 million passwords. It was reported that some passwords have been stored in plain text format on the company’s servers since 2012, and more than 20 thousand Facebook employees can access these passwords. However, the DPC’s decision states that this information is not shared with external parties.
The DPC stated that Meta violated the European Union General Data Protection Regulation (GDPR) rules regarding this security breach. The commission found that the company “failed to promptly notify the DPC of a personal data breach relating to the storage of user passwords in plain text format” and failed to provide adequate documentation of this breach. It also stated that appropriate technical measures were not taken to ensure that user passwords were protected from unauthorized operations.
“It is widely accepted that user passwords should not be stored in plain text format as there is a high risk of abuse by those accessing such data,” DPC Deputy Chairman Graham Doyle said in a statement. “The passwords in question in this case are particularly sensitive as they provide access to users’ social media accounts,” he said.
Meta also received a warning
In addition to the fine, the Commission also gave Meta a warning. It will be possible to learn in more detail what exactly this warning means for Meta when the commission publishes its final decision and other relevant information.