Meta Platforms, the owner of Facebook and Instagram, has been fined €91 million (almost $102 million) in the European Union (EU) for mistakenly storing some users’ passwords without any safety measures in place, according to a report by Reuters.
Meta stored the passwords in plain text without any encryption or protection, according to an official inquiry led by the Irish Data Protection Commission (DPC).
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, DPC’s deputy commissioner, said in a statement following the announcement on the penalty.
The investigation into the security breach was launched in 2019, with Meta disclosing that some passwords were found stored in plan text on its servers.
Meta later revealed that a large volume of Instagram passwords were stored in a format that was easily readable, too. Reports at the time suggested that Meta employees could access up to 600 million Instagram passwords at the company. Its blog post on the haphazardly stored passwords is no longer available on the website.
Although the Irish regulator had claimed the passwords were not available to external parties, the incident raised burning questions about the safety and security protocols for users at Meta, which has more than three billion users across its popular social media platforms.
“This is an issue that has already been widely reported, but we want to be clear that we simply learned there were more passwords stored in this way,” Meta had said. “There is no evidence of abuse or misuse of these passwords.”
The DPC oversees matters relating to privacy and consumer safety for various leading tech corporations, including Meta Platforms, Microsoft, and Amazon, since their European headquarters are located in Dublin. The watchdog has fined Meta billions of dollars to date in cases pertaining to violations of child safety, privacy, and data protection.
