Meta Fined €91 Million for Storing Millions of Facebook and Instagram Passwords in Plaintext

Avatar
The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext in its systems. The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union’s

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext in its systems.

The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union’s General Data Protection Regulation (GDPR).

To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data breaches concerning the storage of user passwords in plaintext, and utilize proper technical measures to ensure the confidentiality of users’ passwords.

Meta originally revealed that the privacy transgression led to the exposure of a subset of users’ Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or abused internally.

According to Krebs on Security, some of these passwords date back to 2012, with a senior employee stating “some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords.”

A month later, the company acknowledged that millions of Instagram passwords were also stored in a similar manner, and that it’s notifying affected users.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at the DPC, said in a press statement.

“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

In a statement shared with Associated Press, Meta said it took “immediate action” to fix the error, and that it “proactively flagged this issue” to the DPC.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Next Post

Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks

Related Posts

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation. "It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity
Avatar
Read More

FTC proposes tougher children’s data privacy rules for first time in a decade

The Federal Trade Commission (FTC) is proposing new restrictions on the use and disclosure of children’s personal data and wants to make it much harder for companies to exclude children from their services if they can’t monetize their data, the agency announced Wednesday.
Jason Macuray
Read More