Meta Fined €91 Million for Storing Millions of Facebook and Instagram Passwords in Plaintext

Avatar
The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext in its systems. The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union’s

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext in its systems.

The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union’s General Data Protection Regulation (GDPR).

To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data breaches concerning the storage of user passwords in plaintext, and utilize proper technical measures to ensure the confidentiality of users’ passwords.

Meta originally revealed that the privacy transgression led to the exposure of a subset of users’ Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or abused internally.

According to Krebs on Security, some of these passwords date back to 2012, with a senior employee stating “some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords.”

A month later, the company acknowledged that millions of Instagram passwords were also stored in a similar manner, and that it’s notifying affected users.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at the DPC, said in a press statement.

“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

In a statement shared with Associated Press, Meta said it took “immediate action” to fix the error, and that it “proactively flagged this issue” to the DPC.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Next Post

Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks

Related Posts

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
Avatar
Read More