Search This Blog

Powered by Blogger.

Blog Archive

Labels

Meta Penalized $101 Million for Storing Passwords in Plaintext, Faces Heightened EU Oversight

The data being accessible to over 2,000 engineers, who collectively queried the password database more than 9 million times.

 

Meta, the parent company of Facebook, has been fined Euro 91 million (USD 101 million) by the Irish Data Protection Commission (DPC) following the revelation that the company stored millions of user passwords in plaintext.  

Plaintext refers to readable data that does not need a decryption key to access. It can be any file or message, including text or binary data, that has not been encrypted yet. Plaintext is often used in tasks like document writing, coding, and email. In encryption, plaintext is the input that gets converted into ciphertext, which is the secured, unreadable version.

The breach, discovered during an internal review and disclosed in 2019, involved sensitive user data being accessible to over 2,000 engineers, who collectively queried the password database more than 9 million times. This fine adds to Meta’s growing list of penalties under the European Union’s General Data Protection Regulation (GDPR), which has cost the company more than Euro 2 billion since the regulation was introduced in 2018. Notably, Meta is appealing a record Euro 1.2 billion fine issued last year, making the company one of the most scrutinized by European regulators. 

Meta identified the security lapse during a routine check of its data storage practices. The company stated that no evidence was found to suggest that any internal personnel had misused the passwords or that external entities had accessed the data. Despite these assurances, the incident brought to light a major oversight, as modern security protocols universally require passwords to be encrypted through cryptographic hashing rather than stored in plaintext. 

Password hashing, the standard across most industries, ensures that original passwords cannot be easily retrieved. Algorithms like Bcrypt, PBKDF2, and SHA512crypt are specifically designed to slow down attempts to crack hashed passwords, using computationally expensive processes that deter attackers. Meta's failure to employ such methods represents a serious departure from accepted practices. 

Graham Doyle, Deputy Commissioner at the DPC, highlighted the risks of Meta’s actions: "Storing user passwords in plaintext is widely recognized as a significant security vulnerability. Such data must be protected adequately to prevent abuse." 

As Meta continues to grapple with regulatory fines and pressures, this latest penalty underscores the EU's rigorous enforcement of data protection laws under GDPR. The company faces growing demands to revamp its security protocols and align with global privacy standards to avoid further sanctions.   
Share it:

Data Breach

Legal Action Against Meta

Meta

Meta Penalized

UN Fine