Meta stored 600 million Facebook and Instagram passwords in plain text
Across Facebook and Instagram, Meta has been storing more than half a billion users' passwords in plain text, with some easily readable for more than a decade.
One of Facebook/Meta's headquarters
The issue was first uncovered in 2019 when Facebook admitted to "hundreds of millions" of passwords being stored unencrypted. Facebook, now Meta, said that the passwords were not available outside of the company -- but also admitted that around 2,000 engineers had made about 9 million queries on that user database.
Now Meta's operation in Ireland has finally been fined $101.5 million after a five-year investigation by the Irish Data Protection Commission (DPC). The fine is levied under Europe's stringent General Data Protection Regulation (GDPR).
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered.
What users were affected
Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union.
It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.
Also, Meta is separately appealing a 2023 DPC ruling regarding GDPR which does potentially include US data. According to MoneyCheck, Meta was reportedly fined $1.3 billion for infringing data protection regulations concerning the transfer of user data between the EU and the US.
It's also not known how Meta has presumably revamped its security, only that at least some passwords were stored unencrypted from 2012.
The ruling against Meta follows years of different privacy and security scandals involving Facebook. Shortly before this issue first surfaced, Facebook was being investigated by federal authorities over data sharing with other companies, most notoriously including Cambridge Analytica.
Read on AppleInsider
Comments
The government needs to actually do something about this! Pass laws requiring this data to not be stored on servers which are connected to the internet... hold companies financially responsible for data breaches (not just offering a year of data monitoring), big fines! payable directly to the individual whose data was compromised, not the government... hold the executives financially responsible... hold the board of directors financially responsible. Something! But this needs to stop!
As for SSNs, I agree 100%!
Tip: Every year, tell the CC company your cards were stolen. Get new ones with new expiration dates. No matter what.
Too bad we can't change our SSN with the govt. Those numbers have all been leaked for just about everyone. What are we supposed to do about that?
There was a time when I could feel a tiny bit of sympathy for those who built systems 25-30 years ago before security and privacy were paramount to all architecture, design, implementation, and testing. Just getting stuff to work in what was once a fledgling form of connectivity was considered a win. But times changed very rapidly when connectivity became universal and ubiquitous in nearly everything that runs modern day life.
Companies like Meta have never had a defensible excuse when it comes to privacy and security. They came into existence when these concerns were front and center in everything that was being done. They cannot claim ignorance, not like doing so was ever a valid excuse. They are simply irresponsible, narrow minded, immature, and self-serving a-holes who have no regard whatsoever for the people they should feel a sense of responsibility to serve. They serve only themselves and their own self interests. They treat so called "customers" as simply advertising data producing livestock that they can use to line their own pockets with massive amounts of cash.
Unfortunately, from an opportunistic make-a-buck perspective they are simply taking advantage of what so many people are willing to give away for relatively little or nothing in return. We know they are untrustworthy, we know they are slinging bullshit at every turn, we know they are only in it for themselves, and we know they treat us like a harvestable commodity, but we still can't keep ourselves from latching on to them like a piglet latches on to the mother sow. How many times must we be burned before we take it upon ourselves to take corrective action? The feds/authorities can't save us from ourselves, no matter how many times we or the authorities try.
Even FB should know that passwords should never be in plain text or even be encrypted. They should just salt and hash their passwords which makes it impossible to hack for the foreseeable future and the passwords will never be known to anyone but the user (or the password manager).