Meta Fined $102 Million For Storing 600 Million Passwords In Plain Text

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

I'm shocked!

[Miles_O'Toole]

Everybody with a three-figure IQ understands that Meta has no respect for anyone's privacy or security except Zuckerberg's. Why would anybody be surprised when he rubs our noses in it by storing passwords in plain text?

Cost of Doing Business?

[Art Challenor]

$100M? Would you change your behavior if the fine for not doing so was $1? That's about the ratio here...

Re:

[stabiesoft]

Worse more like 16c ea. A buck would have been 600M, still peanuts. Should have been 60B, that might get someone's attention.

Isn't Ireland already getting plenty of money?

[galabar]

Isn't Ireland already getting plenty of money from these companies that domicile there? It might not be a good idea to gill the golden goose.

Zucks not apologizing

[mspohr]

Zuck has already said that he's sorry he ever apologized for anything Facef did so don't expect an apology.

Seriously?

[Local ID10T]

"It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Since when are social media account passwords "particularly sensitive". It's online bullshitting. It is not your bank account.

Fine 'em for the violation... but don't BS us about how important social media accounts are -life goes on without them, otherwise being banned would be a crime.

Re:

[Firethorn]

You can use facebook to log into a number of other accounts these days, including ones with payment systems.

Re:

[stabiesoft]

The problem is more that many non-techies use the same or some simple derivative password for all their accounts. I know, crazy, but people do it. So that is why every company that has a login should protect the customer's password.

Obviously not punitive

[kaoshin]

This might have been punitive to someone with a chain of taco trucks or something, but considering it is equivalent to less than one day's worth of Meta's average daily profit in 2023 this seems more like a warning than any kind of a real penalty.

Feels weird

[engineer37]

This makes me feel weird about the time and effort I put in to doing password hashing on my websites. I didnâ(TM)t spend that much time on it but I made sure to do it, it seemed like an obvious required first step, but I guess actually most people just donâ(TM)t bother at first? Feels weird. Also it wasnt that hard which is the other weird thing.