Meta Fined $102 Million for Storing 600 Million User Passwords in Plain Text
Toggle Dark Mode
Five years ago, Facebook (now Meta) revealed that it had stored hundreds of millions of user account passwords in plain text, making them easily searchable by any of the company’s 20,000 Facebook employees. Now, at least one government regulator is taking the social media giant to task for its egregious security violation.
As reported by Engadget, the Irish Data Protection Commission (DPC) has fined Meta 91 million Euros (approximately $102 million) for the security breach. Following an investigation, the DPC determined that Meta violated several EU GDPR rules, including failing to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” and failing to “document personal data breaches concerning the storage of user passwords in plaintext.”
The DPC also ruled that it violated the GDPR by failing to implement reasonable security measures in the first place.
It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accountsGraham Doyle, DPC Deputy Commissioner
While the stored passwords were originally only believed to affect Facebook, a month later, it admitted millions of Instagram user passwords were also included in the mix. To make matters worse, this wasn’t a temporary glitch; as KrebsOnSecurity discovered, many of these passwords had been stored this way for seven years, leaving them wide open to any one of over half of the company’s employees who felt like taking a peek.
The company maintained that it did its own internal investigation, and a spokesperson said they found no cases “where someone was looking intentionally for passwords” or had otherwise missed that data. Some passwords were “inadvertently logged” but not exposed in a way that created any “actual risk.”
A Facebook insider told Krebs that internal access logs revealed around 2,000 engineers and developers had made “approximately nine million internal queries for data elements that contained plain text user passwords,” but there’s no indication that those queries specifically targeted passwords.
The majority of the passwords stored in plain text were also for “Facebook Lite,” a cut-down service aimed at emerging markets where internet speeds are too slow to handle the full Facebook experience.
Nevertheless, Meta’s blunder is an example of why we should all practice good password hygiene and how it’s a terrible idea to reuse passwords across multiple services. If one of the world’s largest and most valuable tech companies has such lax security, it’s hard to count on any site to ensure your passwords won’t leak out into the wild.
Many folks use the same password for multiple services, and in this case, having your Facebook password set the same as your online banking password would have potentially given any one of 20,000 Facebook employees the ability to access your financial data. While there’s no indication that happened, the possibility on its own should be disturbing.
The move toward passkeys will do even more to prevent compromised passwords from enabling hackers to break into your accounts. Passkeys are a set of cryptographic credentials designed so that nothing on the server side can be compromised.