Meta stored 600 million Facebook and Instagram passwords in plain text
by William Gallagher · AppleInsiderAcross Facebook and Instagram, Meta has been storing more than half a billion users' passwords in plain text, with some easily readable for more than a decade.
The issue was first uncovered in 2019 when Facebook admitted to "hundreds of millions" of passwords being stored unencrypted. Facebook, now Meta, said that the passwords were not available outside of the company — but also admitted that around 2,000 engineers had made about 9 million queries on that user database.
Now Meta's operation in Ireland has finally been fined $101.5 million after a five-year investigation by the Irish Data Protection Commission (DPC). The fine is levied under Europe's stringent General Data Protection Regulation (GDPR).
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered.
What users were affected
Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union.
It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.
Also, Meta is separately appealing a 2023 DPC ruling regarding GDPR which does potentially include US data. According to MoneyCheck, Meta was reportedly fined $1.3 billion for infringing data protection regulations concerning the transfer of user data between the EU and the US.
It's also not known how Meta has presumably revamped its security, only that at least some passwords were stored unencrypted from 2012.
The ruling against Meta follows years of different privacy and security scandals involving Facebook. Shortly before this issue first surfaced, Facebook was being investigated by federal authorities over data sharing with other companies, most notoriously including Cambridge Analytica.
9 Comments
Pema 108 comments · 2 Years
About 10 hours ago
Meta has been ridden by one scandal after another. So what else is new?
bala1234 157 comments · 6 Years
About 8 hours ago
Pema said:
Meta has been ridden by one scandal after another. So what else is new?
This is a bad/unprofessional even given all the past Facebook scandals.
welshdog 1890 comments · 22 Years
About 7 hours ago
Companies will NEVER maintain robust security until there are real monetary and incarceration risks for security failures. Just look at what happened with National Public Data. Few corporations, even really big ones, take the security of our data seriously. I think Apple does, more than most, but obviously they seem to stand alone on this issue.
Until some jagoff VP in charge of customer data gets put in jail for making an irresponsible security decision, this kind of thing won't stop. Fine companies a significant percentage of their annual revenue for losing our data, and then we'll see how seriously they take it. Also, 100% ban anyone but the government from using our SSNs and issue all new SSNs to reestablish the validity of our numbers. Severe penalties for not purging all our numbers from their systems and long term archives.
OctoMonkey 314 comments · 4 Years
About 6 hours ago
welshdog said:
Companies will NEVER maintain robust security until there are real monetary and incarceration risks for security failures. Just look at what happened with National Public Data. Few corporations, even really big ones, take the security of our data seriously. I think Apple does, more than most, but obviously they seem to stand alone on this issue.
Until some jagoff VP in charge of customer data gets put in jail for making an irresponsible security decision, this kind of thing won't stop. Fine companies a significant percentage of their annual revenue for losing our data, and then we'll see how seriously they take it. Also, 100% ban anyone but the government from using our SSNs and issue all new SSNs to reestablish the validity of our numbers. Severe penalties for not purging all our numbers from their systems and long term archives.
Agreed! Yesterday our (juvenile) son received a piece piece of mail indicating his data had been exposed in a data breach. Grrrrr!!!
The government needs to actually do something about this! Pass laws requiring this data to not be stored on servers which are connected to the internet... hold companies financially responsible for data breaches (not just offering a year of data monitoring), big fines! payable directly to the individual whose data was compromised, not the government... hold the executives financially responsible... hold the board of directors financially responsible. Something! But this needs to stop!
As for SSNs, I agree 100%!
eriamjh 1724 comments · 17 Years
About 5 hours ago
None of our information anywhere is safe because website, companies, etc. are all f*cking stupid idiots.
Tip: Every year, tell the CC company your cards were stolen. Get new ones with new expiration dates. No matter what.
Too bad we can't change our SSN with the govt. Those numbers have all been leaked for just about everyone. What are we supposed to do about that?