Investigation into 2019 Password Incident

In March 2019, Meta (formerly Facebook) faced scrutiny after it was revealed that the company had stored customer passwords in plain text within its systems. Following an investigation, the Irish Data Protection Commission (DPC) has now fined Meta €91 million ($101.56 million) for violations of data protection laws.

You might be interested in: Meta Faces €91M Fine for Password Breach

Breach of EU Data Protection Rules

The DPC launched its inquiry in April 2019, soon after the breach was reported. During the investigation, it was found that Meta violated four separate rules outlined in the European Union’s General Data Protection Regulation (GDPR).

Key Failures Highlighted by the DPC

The investigation pointed to several key failures on Meta’s part. First, the company did not promptly inform the DPC about the data breach. Additionally, Meta did not properly document personal data breaches, including the issue of storing user passwords in plain text. The DPC also criticized Meta for not using the necessary security measures to protect the privacy of user passwords.

No Evidence of Misuse, But Serious Concerns Raised

Initially, Meta acknowledged that some Facebook user passwords were stored in plain text. The company assured the public that there was no evidence suggesting the passwords had been accessed or misused by unauthorized parties. However, a senior employee revealed that around nine million internal queries were made that involved plain text user passwords. According to Krebs on Security, about 2,000 engineers and developers ran these queries, and some of the passwords dated back to 2012.

Instagram Also Affected

A month later, Meta confirmed that millions of Instagram passwords had been stored in a similar way. Affected users were notified, and the company worked quickly to address the issue.

DPC’s Official Statement on Password Storage

Graham Doyle, the deputy commissioner at the DPC, made it clear that storing user passwords in plain text is a major risk. “It’s widely accepted that user passwords should not be stored in plain text due to the danger of misuse,” he stated in a press release.

The DPC emphasized the sensitivity of the case, explaining that the affected passwords could give unauthorized individuals access to users’ social media accounts.

Meta’s Response

Meta took swift action to resolve the problem and reported the issue to the DPC voluntarily. In a statement shared with the Associated Press, Meta said it took “immediate action” to fix the situation.