30 September 2024

Social media giant Meta fined €91M for storing millions of user passwords in plaintext


Social media giant Meta fined €91M for storing millions of user passwords in plaintext

Meta, the parent company of Facebook, WhatsApp, and Instagram, has been fined €91 million ($101 million) by the Irish Data Protection Commission (DPC) after it was discovered that the company had stored hundreds of millions of user passwords in plaintext on its internal systems.

Meta initially disclosed the incident in 2019, revealing that an engineering error had led to the unprotected storage of user passwords. At the time, the company assured its users that the passwords were only exposed internally and that there was no evidence of misuse. Meta promised to notify all users affected by the security flaw.

The company explained that a security review had found that a “subset” of Facebook users’ passwords were “temporarily logged in a readable format.” However, a month later, the company acknowledged that “this issue impacted millions of Instagram users.”

Following a five-year investigation, the DPC found Meta in breach of its legal obligations under GDPR. The watchdog concluded that Meta had violated several provisions of the GDPR. More specifically, it failed to report the personal data breach to the DPC in a timely manner, and it didn’t implement appropriate technical safeguards to ensure the protection of users’ passwords.

The watchdog issued a reprimand and the €91 million fine in response to these infractions.

This latest fine is one of many that Meta has faced under GDPR enforcement. Recent penalties include a €405 million fine for Instagram’s mishandling of teen data, a €5.5 million penalty involving privacy issues with WhatsApp, and a record-breaking €1.2 billion fine for Meta’s transatlantic data transfers, in violation of GDPR’s data sovereignty provisions.

Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024