In a recent revelation, Meta, the parent company of Facebook and Instagram, acknowledged that it had stored more than 500 million user passwords in plain text over the past decade. This significant security breach was brought to light in April 2019, when it was disclosed that hundreds of millions of passwords were stored without encryption. Although Meta stated that these passwords were not exposed, it was revealed that approximately 9 million queries were made on this unsecured database by around 2,000 engineers.
As a result of a thorough five-year investigation by the Irish Data Protection Commission (DPC), Meta was fined $101.5 million for violating the General Data Protection Regulation (GDPR). The DPC emphasized that storing user passwords in plain text format poses significant risks, as it could potentially grant unauthorized access to users’ social network accounts. Meta was found to have contravened four provisions of the GDPR, including failure to promptly report the breach and storing user passwords in an insecure manner.
It is important to note that the DPC’s ruling did not specify the geographic location of the affected users, but it is likely that this issue primarily concerns non-US users. Furthermore, it was revealed that the majority of these plaintext passwords were associated with the Facebook Lite service, which is designed for areas with limited internet connectivity.
Meta is currently appealing the DPC’s ruling, and there is a possibility that US user data may also be included in the final decision. In a separate incident, Meta faced a fine of $1.3 billion from the EU for GDPR violations related to the transfer of user data between Europe and the US.
This ruling against Meta underscores the company’s ongoing privacy and security challenges, adding to a series of controversies and investigations, including the infamous Cambridge Analytica scandal.
