Meta stored 600 million Facebook and Instagram passwords in plain text

Posted:
in General Discussion

Across Facebook and Instagram, Meta has been storing more than half a billion users' passwords in plain text, with some easily readable for more than a decade.

Large Facebook sign with thumbs-up logo and text reading '1 Hacker Way' surrounded by trees and greenery.
One of Facebook/Meta's headquarters



The issue was first uncovered in 2019 when Facebook admitted to "hundreds of millions" of passwords being stored unencrypted. Facebook, now Meta, said that the passwords were not available outside of the company -- but also admitted that around 2,000 engineers had made about 9 million queries on that user database.

Now Meta's operation in Ireland has finally been fined $101.5 million after a five-year investigation by the Irish Data Protection Commission (DPC). The fine is levied under Europe's stringent General Data Protection Regulation (GDPR).

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered.

What users were affected



Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union.

It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

Also, Meta is separately appealing a 2023 DPC ruling regarding GDPR which does potentially include US data. According to MoneyCheck, Meta was reportedly fined $1.3 billion for infringing data protection regulations concerning the transfer of user data between the EU and the US.

It's also not known how Meta has presumably revamped its security, only that at least some passwords were stored unencrypted from 2012.

The ruling against Meta follows years of different privacy and security scandals involving Facebook. Shortly before this issue first surfaced, Facebook was being investigated by federal authorities over data sharing with other companies, most notoriously including Cambridge Analytica.



Read on AppleInsider

Comments

  • Reply 1 of 16
    PemaPema Posts: 118member
    Meta has been ridden by one scandal after another. So what else is new? 
    jeffharrisRonnyDaddyzeus423baconstangwatto_cobra
  • Reply 2 of 16
    Pema said:
    Meta has been ridden by one scandal after another. So what else is new? 
    This is a bad/unprofessional even given all the past Facebook scandals.
    watto_cobra
  • Reply 3 of 16
    welshdogwelshdog Posts: 1,907member
    Companies will NEVER maintain robust security until there are real monetary and incarceration risks for security failures. Just look at what happened with National Public Data. Few corporations, even really big ones, take the security of our data seriously. I think Apple does, more than most, but obviously they seem to stand alone on this issue.

    Until some jagoff VP in charge of customer data gets put in jail for making an irresponsible security decision, this kind of thing won't stop. Fine companies a significant percentage of their annual revenue for losing our data, and then we'll see how seriously they take it. Also, 100% ban anyone but the government from using our SSNs and issue all new SSNs to reestablish the validity of our numbers. Severe penalties for not purging all our numbers from their systems and long term archives.
    retrogustoAlex_Vzeus423forgot usernamewatto_cobra
  • Reply 4 of 16
    welshdog said:
    Companies will NEVER maintain robust security until there are real monetary and incarceration risks for security failures. Just look at what happened with National Public Data. Few corporations, even really big ones, take the security of our data seriously. I think Apple does, more than most, but obviously they seem to stand alone on this issue.

    Until some jagoff VP in charge of customer data gets put in jail for making an irresponsible security decision, this kind of thing won't stop. Fine companies a significant percentage of their annual revenue for losing our data, and then we'll see how seriously they take it. Also, 100% ban anyone but the government from using our SSNs and issue all new SSNs to reestablish the validity of our numbers. Severe penalties for not purging all our numbers from their systems and long term archives.
    Agreed!  Yesterday our (juvenile) son received a piece piece of mail indicating his data had been exposed in a data breach.  Grrrrr!!!

    The government needs to actually do something about this!  Pass laws requiring this data to not be stored on servers which are connected to the internet...  hold companies financially responsible for data breaches (not just offering a year of data monitoring), big fines! payable directly to the individual whose data was compromised, not the government...  hold the executives financially responsible...  hold the board of directors financially responsible.  Something!  But this needs to stop!

    As for SSNs, I agree 100%!
    zeus423watto_cobra
  • Reply 5 of 16
    eriamjheriamjh Posts: 1,734member
    None of our information anywhere is safe because website, companies, etc. are all f*cking stupid idiots.

    Tip: Every year, tell the CC company your cards were stolen.  Get new ones with new expiration dates.  No matter what.

    Too bad we can't change our SSN with the govt.   Those numbers have all been leaked for just about everyone.   What are we supposed to do about that?
    zeus423williamlondonwatto_cobra
  • Reply 6 of 16
    dewmedewme Posts: 5,680member
    welshdog said:
    Companies will NEVER maintain robust security until there are real monetary and incarceration risks for security failures. Just look at what happened with National Public Data. Few corporations, even really big ones, take the security of our data seriously. I think Apple does, more than most, but obviously they seem to stand alone on this issue.

    Until some jagoff VP in charge of customer data gets put in jail for making an irresponsible security decision, this kind of thing won't stop. Fine companies a significant percentage of their annual revenue for losing our data, and then we'll see how seriously they take it. Also, 100% ban anyone but the government from using our SSNs and issue all new SSNs to reestablish the validity of our numbers. Severe penalties for not purging all our numbers from their systems and long term archives.
    I have to agree. The near total lack of accountability for firms that are put themselves in a position of trust with their customers and even the general public is mind-boggling. This pattern keeps repeating over and over and over again where a person or organization totally screws thousands or even millions of customers or the public and their tone deaf response is always the same, "Ooopsy, but we take (whatever they just massively screwed up) very seriously!" with no remorse for the damage they've just inflicted. They are totally pegging the bullshitometer and nobody in the chain of responsibility or in the enforcement agencies is doing squat about it. The offending e-suite morons are still handed their massive bonuses, building new super yachts, and hatching new schemes to avoid paying any taxes by schmoozing up to and controlling their puppet politicians.  

    There was a time when I could feel a tiny bit of sympathy for those who built systems 25-30 years ago before security and privacy were paramount to all architecture, design, implementation, and testing. Just getting stuff to work in what was once a fledgling form of connectivity was considered a win. But times changed very rapidly when connectivity became universal and ubiquitous in nearly everything that runs modern day life.

    Companies like Meta have never had a defensible excuse when it comes to privacy and security. They came into existence when these concerns were front and center in everything that was being done. They cannot claim ignorance, not like doing so was ever a valid excuse. They are simply irresponsible, narrow minded, immature, and self-serving a-holes who have no regard whatsoever for the people they should feel a sense of responsibility to serve. They serve only themselves and their own self interests. They treat so called "customers" as simply advertising data producing livestock that they can use to line their own pockets with massive amounts of cash.

    Unfortunately, from an opportunistic make-a-buck perspective they are simply taking advantage of what so many people are willing to give away for relatively little or nothing in return. We know they are untrustworthy, we know they are slinging bullshit at every turn, we know they are only in it for themselves, and we know they treat us like a harvestable commodity, but we still can't keep ourselves from latching on to them like a piglet latches on to the mother sow. How many times must we be burned before we take it upon ourselves to take corrective action? The feds/authorities can't save us from ourselves, no matter how many times we or the authorities try.
    muthuk_vanalingamforgot usernamewatto_cobra
  • Reply 7 of 16
    Just more proof how important it is to keep unique passwords for really important stuff. 
    AnObserverzeus423baconstangwatto_cobra
  • Reply 8 of 16
    danoxdanox Posts: 3,294member
    Never use Meta if you don’t have to if you can avoid them but for many with large extended families that might be impossible,…..
    Alex_Vforgot usernamewatto_cobra
  • Reply 9 of 16
    By now you have to truly wonder how much of this stuff is purposeful. Not just meta either. So much of this exact same amateur hour stuff has been coming to light the last few years. 
    watto_cobra
  • Reply 10 of 16
    I been stop using social media. Let’s just say they all are nothing but pawns of the US government at this point. 🙄
    williamlondonbaconstangwatto_cobra
  • Reply 11 of 16
    netroxnetrox Posts: 1,485member
    I don't understand how that is possible for FB, with thousands of engineers, not to recognize the importance of salting and hashing passwords?!?!  That has been around since 1970's! 

    Even FB should know that passwords should never be in plain text or even be encrypted. They should just salt and hash their passwords which makes it impossible to hack for the foreseeable future and the passwords will never be known to anyone but the user (or the password manager). 




    williamlondonwatto_cobra
  • Reply 12 of 16
    This is the moronic company run by an idiotic billionaire who is unwilling to pay for consumer art and content to train their stupid AI because he doesn’t deem it valuable enough. So why should your passwords be encrypted? The government needs to leave Apple alone and investigate meta. There really needs to be much more oversight into social media companies and what they are allowed to do with our data. We need a European level of control over our personal data and these companies should automatically have to pay the end user damages when they inevitably fail. Maybe the CEO even needs to face jail time. Couldn’t imagine Zuck in orange??
    edited September 28 williamlondonwatto_cobra
  • Reply 13 of 16
    I been stop using social media. Let’s just say they all are nothing but pawns of the US government at this point. ߙ䦬t;/div>
    Wow, good sarcasm love it. The sad thing is that there are truly some people who do believe that nonsense. The biggest fear for me is giving them your personal details and their selling, using it against you, or simply having it hacked which is why those alt app stores are so unappealing.
    edited September 28 watto_cobra
  • Reply 14 of 16
    And yet the government is only worried about TikTok...
    baconstangwilliamlondonwatto_cobra
  • Reply 15 of 16
    Social media can F off. Was initially fun to connect with current and old friends but it’s now more shite than reality TV. Pretty simple if you don’t want to get ripped off: Two factor authentication, don’t share passwords among services, don’t save bank cards online, only transfer what you need for any given online purchase onto a ‘burner’ card, don’t acknowledge calls or emails involving money or that are purportedly from your ‘bank’ or investment portfolio.
    baconstangwilliamlondonwatto_cobra
  • Reply 16 of 16
    Social media can F off. Was initially fun to connect with current and old friends but it’s now more shite than reality TV. Pretty simple if you don’t want to get ripped off: Two factor authentication, don’t share passwords among services, don’t save bank cards online, only transfer what you need for any given online purchase onto a ‘burner’ card, don’t acknowledge calls or emails involving money or that are purportedly from your ‘bank’ or investment portfolio.
    If you just limit what you pay attention to and steer your pages toward that social media isn't too bad. I'm not a fan of FaceBook at all but the others are manageable. 
    williamlondonwatto_cobra
Sign In or Register to comment.