Meta spanked for violating GDPR as it stored 600 million social media account passwords in plaintext

2comments
Meta's infinity logo is printed above the company's wordmark on an off-white backdrop.
In a day and age when online security is more important than ever, Meta Platforms Ireland Limited (MPIL).was found to have stored over 600 million passwords belonging to Instagram and Facebook users in plaintext. Some of these passwords have been around in this form for more than 10 years. The sunshine first fell on this subject matter in 2019 when Facebook, now known as Meta, admitted to the Data Protection Commission (DPC) that hundreds of millions of passwords were stored inadvertently unencrypted in plaintext.

After a five-year investigation by the DPC, Meta's operations in Ireland were fined $101.5 million. Meta was found to have violated Europe's General Data Protection Regulation (GDPR) by not storing the passwords of many Instagram and Facebook users in a more secure manner. Meta claimed that these unencrypted passwords were not available to people outside of the company. However, the company did admit that 2,000 engineers had made 9 million queries regarding this specific user database.

The DPC's decision found that Meta Platforms Ireland Limited (MPIL) failed to follow GDPR rules by committing the following violations:

Article 33(1)-MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
Article 33(5)-MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
Article 5(1)(f)-MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and
Article 32(1)-MPIL did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.


Recommended Stories
The decision by the DPC requires Meta to issue a reprimand pursuant to Article 58(2)(b) GDPR; and pay the aforementioned 91 million Euro fine ($101.5 million). The DPC added that it will publish the full Decision and further related information in due course. It is believed that the passwords included in the ruling only cover non-US users. In 2019, Meta told CNN that the majority of the plaintext passwords were for a service called Facebook Lite which was a less comprehensive social media service for areas of the world that had slower internet connectivity.


Meta owns Facebook, Messenger, Instagram, and WhatsApp.
Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
  • Access members-only articles
  • Join community discussions
  • Share your own device reviews
  • Build your personal phone library
Register For Free

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless