Meta fined $102M for storing 600 million users’ passwords in plain text without encryption

Meta has been hit with a €91M ($101.5M) fine by the EU privacy regulator after it was found to have stored millions of Facebook and Instagram passwords in an unencrypted format. The penalty follows a 2019 investigation, where it was revealed that 600 million passwords were stored in plain text, according to a report from Reuters.

The inquiry was sparked when Meta reported to Ireland’s Data Protection Commission (DPC) that it had discovered some passwords had been saved without encryption. The social giant publicly acknowledged the issue at the time, confirming that the unprotected passwords had not been exposed to external parties, Reuters reported.

Graham Doyle, Deputy Commissioner at the DPC, noted the widely recognized risk of storing user passwords without encryption, underscoring the potential for abuse if such data were accessed.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Doyle said in a statement.

Meta said it responded quickly when the issue was identified during a 2019 security review, fixing the problem and assuring that no evidence suggested the passwords were misused. A company spokesperson highlighted that Meta had worked closely with the DPC throughout the investigation.

This fine adds to the €1.2 billion penalty imposed on Meta last year over data transfers to the U.S. In total, Meta has now been fined €2.5 billion for various breaches under the EU’s General Data Protection Regulation (GDPR), introduced in 2018. The company is appealing the €1.2 billion fine from 2023.

The DPC’s latest ruling found four violations of GDPR, including failure to secure personal data properly. Meta’s spokesperson reiterated that the issue was resolved in 2019 with no evidence of improper access or misuse of passwords. The DPC will release further details of its findings soon.