Meta spanked for violating GDPR as it stored 600 million social media account passwords in plaintext

2comments
Meta's infinity logo is printed above the company's wordmark on an off-white backdrop.
In a day and age when online security is more important than ever, Meta Platforms Ireland Limited (MPIL).was found to have stored over 600 million passwords belonging to Instagram and Facebook users in plaintext. Some of these passwords have been around in this form for more than 10 years. The sunshine first fell on this subject matter in 2019 when Facebook, now known as Meta, admitted to the Data Protection Commission (DPC) that hundreds of millions of passwords were stored inadvertently unencrypted in plaintext.

After a five-year investigation by the DPC, Meta's operations in Ireland were fined $101.5 million. Meta was found to have violated Europe's General Data Protection Regulation (GDPR) by not storing the passwords of many Instagram and Facebook users in a more secure manner. Meta claimed that these unencrypted passwords were not available to people outside of the company. However, the company did admit that 2,000 engineers had made 9 million queries regarding this specific user database.

The DPC's decision found that Meta Platforms Ireland Limited (MPIL) failed to follow GDPR rules by committing the following violations:

Article 33(1)-MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
Article 33(5)-MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
Article 5(1)(f)-MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and
Article 32(1)-MPIL did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.


Recommended Stories
The decision by the DPC requires Meta to issue a reprimand pursuant to Article 58(2)(b) GDPR; and pay the aforementioned 91 million Euro fine ($101.5 million). The DPC added that it will publish the full Decision and further related information in due course. It is believed that the passwords included in the ruling only cover non-US users. In 2019, Meta told CNN that the majority of the plaintext passwords were for a service called Facebook Lite which was a less comprehensive social media service for areas of the world that had slower internet connectivity.


Meta owns Facebook, Messenger, Instagram, and WhatsApp.
Can’t get enough of mobile tech?
Subscribe to access new exclusive content and perks.
You can still enjoy the standard PhoneArena experience for free.
  • In-depth reviews, tests & analyses
  • Expert opinions on the latest trends
  • Live community events and games
  • Ad-free browsing, discounts and more
Start Free Trial See the latest subscriber-only articles

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless