SafetyDetectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Meta Slapped With $100M For Exposing Millions of Facebook Passwords

Penka Hristovska
Penka Hristovska Senior Editor
Published on: October 1, 2024
Penka Hristovska Penka Hristovska
Published on: October 1, 2024 Senior Editor

The Data Protection Commission (DPC) of Ireland has imposed a $100 million fine on Meta, the parent company of Facebook, after the company inadvertently stored plaintext passwords of approximately 600 million users.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC Deputy Commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

“This Decision of the DPC concerns the GDPR principles of integrity and confidentiality,” the Commission said in a news release.

The DPC’s ruling concludes an inquiry initiated in 2019, following a report by American security researcher Brian Krebbs in March of that year. Meta did notify the Data Protection Commission that it had unintentionally stored user passwords without employing cryptographic protection or encryption, a clear violation of the security standards outlined in the General Data Protection Regulation (GDPR).

However, the regulators highlighted in their decision that Meta didn’t do so “in a timely manner.”

On top of failing to implement the necessary technical and organizational security measures required by GDPR to protect users’ data from unauthorized access, Meta also didn’t properly manage security risks associated with the type of data processed, including how that data was stored on Meta’s database servers, DPC Ireland said.

A Meta spokesperson stated that the company had taken immediate action to address the issue upon discovery.

“As part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” the statement said.

A DPC investigation into the matter confirmed that the exposed passwords were not made accessible to external parties, but it still left users vulnerable.

“A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data,” DPC said.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor
Published on: October 1, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment