Meta Slapped With $102M Privacy Fine For Storing Passwords In Plain Text

The Irish Data Protection Commission (DPC) is levying a $102 million fine against Meta for violating the General Data Protection Regulation (GDPR) principles of integrity and confidentiality. After a five-year investigation, the watchdog found that the social media giant was inadvertently storing user passwords in plaintext, without any kind of protection or encryption.

Graham Doyle, the DPC’s Deputy Commissioner, says that “user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts."

It's shocking to see a company as large and as mature as Meta make this kind of mistake, when in theory it should have a robust set of security policies and dedicated security professionals onboard. Encryption of user passwords is the bare minimum level of security in 2024, and it certainly wasn’t any different when this lapse in security occurred back in 2019. At the very least someone inside the company eventually realized what was happening, which lead to Meta notifying the DPC of this GDPR breach.

Hopefully, this incident and the size of the fine will be a lesson for other companies who may be practicing similarly lackadaisical policies when it comes to storing user passwords. It’s also not a bad idea for users of Meta’s services to pre-emptively update their passwords, just in case this data ends up making its way out to the web down the line. A good password manager can help in making updating passwords less painful when situations like this one arise.