Meta fined $102 million for storing passwords in plain text
The Irish Data Protection Commission (DPC) has slapped Meta with a $101.5 million (€91 million) fine after wrapping up an investigation into a security breach in 2019, wherein the company mistakenly stored users' passwords in plain text. Meta's original announcement only talked about how it found some user passwords stored in plain text on its servers in January that year. But a month later, it updated its announcement to reveal that millions of Instagram passwords were also stored in easily readable format. While Meta didn't say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company's servers since 2012. They were also reportedly searchable by over 20,000 Facebook employees, though the DPC has clarified in its decision that they were at least not made available to external parties. The DPC found that Meta violated several
The Irish Data Protection Commission (DPC) has slapped Meta with a $101.5 million (€91 million) fine after wrapping up an investigation into a security breach in 2019, wherein the company mistakenly stored users' passwords in plain text. Meta's original announcement only talked about how it found some user passwords stored in plain text on its servers in January that year. But a month later, it updated its announcement to reveal that millions of Instagram passwords were also stored in easily readable format.
While Meta didn't say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company's servers since 2012. They were also reportedly searchable by over 20,000 Facebook employees, though the DPC has clarified in its decision that they were at least not made available to external parties.
The DPC found that Meta violated several GDPR rules related to the breach. It determined that the company failed to "notify the DPC of a personal data breach concerning storage of user passwords in plaintext" without undue delay and failed to "document personal data breaches concerning the storage of user passwords in plaintext." It also said that Meta violated the GDPR by not using appropriate technical measures to ensure the security of users' passwords against unauthorized processing.
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts," DPC's Deputy Commissioner, Graham Doyle, said in a statement.
The DPC has also given the company a reprimand in addition to the penalty. We may know more about what that means for Meta exactly when the commission publishes its full final decision and other related information in the future.This article originally appeared on Engadget at https://www.engadget.com/big-tech/meta-fined-102-million-for-storing-passwords-in-plain-text-110049679.html?src=rss