Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Facebook Security The Almighty Buck Slashdot.org

Meta Fined $102 Million For Storing 600 Million Passwords In Plain Text (appleinsider.com) 28

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

This discussion has been archived. No new comments can be posted.

Meta Fined $102 Million For Storing 600 Million Passwords In Plain Text

Comments Filter:
  • I'm shocked! (Score:5, Insightful)

    by Miles_O'Toole ( 5152533 ) on Friday September 27, 2024 @06:51PM (#64822943)

    Everybody with a three-figure IQ understands that Meta has no respect for anyone's privacy or security except Zuckerberg's. Why would anybody be surprised when he rubs our noses in it by storing passwords in plain text?

    • by Anonymous Coward

      Everybody with a three-figure IQ understands that Meta has no respect for anyone's privacy or security except Zuckerberg's. Why would anybody be surprised when he rubs our noses in it by storing passwords in plain text?

      I learned about the need for hashing and salting stored passwords in the late 80's in class from a paper written in the 70's. Yet somehow 2000 engineers looked up 9 million in the clear passwords and no one complained? What kind of engineers does Meta hire?

  • by Art Challenor ( 2621733 ) on Friday September 27, 2024 @06:51PM (#64822947)
    $100M? Would you change your behavior if the fine for not doing so was $1? That's about the ratio here...
    • by stabiesoft ( 733417 ) on Friday September 27, 2024 @07:39PM (#64823009) Homepage
      Worse more like 16c ea. A buck would have been 600M, still peanuts. Should have been 60B, that might get someone's attention.
    • $100M? Would you change your behavior if the fine for not doing so was $1? That's about the ratio here...

      Yes I would. European law unlike American law is staggered. The first of a type of offence is often quite lenient in comparison to a re-offence. Meta would be unwise to consider $100m as a cost of doing business today, because that number will very very much inflate tomorrow.

      In other news a police officer let me off with an official warning last time I got caught speeding, that won't happen again.

  • Isn't Ireland already getting plenty of money from these companies that domicile there? It might not be a good idea to gill the golden goose.
  • by mspohr ( 589790 ) on Friday September 27, 2024 @07:03PM (#64822965)

    Zuck has already said that he's sorry he ever apologized for anything Facef did so don't expect an apology.

  • Seriously? (Score:5, Interesting)

    by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Friday September 27, 2024 @07:14PM (#64822969) Homepage

    "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

    Since when are social media account passwords "particularly sensitive". It's online bullshitting. It is not your bank account.

    Fine 'em for the violation... but don't BS us about how important social media accounts are -life goes on without them, otherwise being banned would be a crime.

    • by Anonymous Coward
      A lot of damage could potentially be done if someone gets into your social media account; best case you'll have a lot of explaining to do to people that you were hacked. Also, even though it's bad practice and people are told not to do it, people in reality do use the same password for multiple sites so getting a social media password could allow hackers into other sites for the user.
      • Re:Seriously? (Score:5, Informative)

        by ls671 ( 1122017 ) on Friday September 27, 2024 @10:26PM (#64823249) Homepage

        A lot of damage could potentially be done if someone gets into your social media account; best case you'll have a lot of explaining to do to people that you were hacked.

        It happened to a few broader family members of mine when outlook accounts were hacked. Hackers then send messages to all emails they had in the account saying they were stuck in Thailand or stuff like that and that they needed money urgently to solve the issue.

    • Re:Seriously? (Score:5, Informative)

      by Firethorn ( 177587 ) on Friday September 27, 2024 @07:42PM (#64823019) Homepage Journal

      You can use facebook to log into a number of other accounts these days, including ones with payment systems.

    • Re:Seriously? (Score:5, Insightful)

      by stabiesoft ( 733417 ) on Friday September 27, 2024 @07:42PM (#64823021) Homepage
      The problem is more that many non-techies use the same or some simple derivative password for all their accounts. I know, crazy, but people do it. So that is why every company that has a login should protect the customer's password.
    • The reality is for many people they are, ignoring the facebook creds can also be used to log in to other systems and that users are generally fuckwits and reuse passwords no matter how much you beat them up. Their Social media accounts have massive value for scams on the user and on others as well as huge amounts of information perfect for identity theft.
    • Re:Seriously? (Score:5, Insightful)

      by penguinoid ( 724646 ) on Friday September 27, 2024 @09:06PM (#64823143) Homepage Journal

      In the wrong country, you can be killed if the government finds out what your really think. And yes, complaining online is one way to catalyze change, especially in countries where you can be killed for it. (American keyboard warriors should instead go vote and drag their friends to the polls too.)

  • by kaoshin ( 110328 ) on Friday September 27, 2024 @07:18PM (#64822975)
    This might have been punitive to someone with a chain of taco trucks or something, but considering it is equivalent to less than one day's worth of Meta's average daily profit in 2023 this seems more like a warning than any kind of a real penalty.
  • by engineer37 ( 6205042 ) on Friday September 27, 2024 @08:15PM (#64823075)
    This makes me feel weird about the time and effort I put in to doing password hashing on my websites. I didnâ(TM)t spend that much time on it but I made sure to do it, it seemed like an obvious required first step, but I guess actually most people just donâ(TM)t bother at first? Feels weird. Also it wasnt that hard which is the other weird thing.
    • It's possible the logging system just grabbed the passwords and logged them when they came across the wire. Still a rookie mistake, but not as bad. The article doesn't clarify how it happened, but it seems to have not been in their main database.
  • by Anonymous Coward on Friday September 27, 2024 @08:46PM (#64823123)
    Well, isn't having those plain text passwords why Facebook/Meta exists in the first place?

    The stories detail some troubling behavior by Facebook's then 19-year old founder and CEO, Mark Zuckerberg, including using members' Facebook login information to break into members' private email accounts and hacking into a competitor's site and changing user profiles. (Source [businessinsider.com])

    Zuck: Yeah so if you ever need info about anyone at Harvard. Just ask. I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks. (Source [businessinsider.com])

    They should have been fined 6 billion Euros, that would be merely 10€ per password.

  • We've seen that the Israeli Defense Forces are embedded in Meta operations (and have used data they collect to feed their targeting AI that has been used to kill journalists and their families in the 'Where's Daddy' assassination program). Have THEY also had access?

Avoid strange women and temporary variables.

Working...