Remember when Facebook stored some 600 million Facebook account passwords in plaintext and then pretended like it was no big deal? It all went down at some point in 2019. Of note, the passwords were not hacked, though Facebook employees might have had access to them. Still, the EU investigated the security issues, going after Facebook for its decision not to encrypt the passwords.
Five years later, Facebook is known as Meta, but its Facebook problems did not go away with the name change. Meta just received a $101.8 million fine following the conclusion of the Irish Data Protection Commission’s (DPC) investigation.
The DPC started its investigation after Meta notified the regulatory body that it had stored passwords in “plaintext” on its internal systems. The DPC announced its final decision on Thursday, which included a reprimand and a fine of €91 million ($101.8 million) under the EU’s GDPR regulations.
The EU’s General Data Protection Regulation came into play in mid-2018 in Europe, forcing tech companies to give their customers more control over the data collected from them. Internet users in the EU can ask companies like Meta to provide access to their data and delete their accounts.
Users can also object to data collection via cookies and other tools. Also important is the requirement that companies report data breaches to authorities within a few days. The same companies must implement security measures to protect user data, including passwords.
The DPC found that Meta (MPIL) infringed various GDPR articles:
Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” DPC Deputy Commissioner Graham Doyle said in a statement. “It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
Meta confirmed the plaintext passwords in 2019. While it said that hundreds of millions of users had their passwords stored in plaintext, it didn’t confirm the actual figure. Meta said it did not find evidence of employees accessing those passwords at the time. Finally, Meta said it would notify people whose accounts had passwords stored in plaintext.
The bulk of the users affected were hundreds of millions of Facebook Lite users. That’s a version of the app available on Android in markets where internet connectivity isn’t that good. This detail implied most of the affected users were outside of the US. But millions of Facebook users and tens of thousands of Instagram users were also affected.
Security researcher Brian Krebs said back then that he had learned from a source within Facebook that Facebook employees could have accessed the plaintext passwords since 2012. The passwords were searchable in the list. Some 2,000 engineers or developers reportedly made nine million internal queries for data elements that contained plaintext passwords.
Krebs also revealed the scope of the security issue, saying his source informed him that more than 600 million accounts were impacted.
Since the passwords did not leak online, resetting your password at the time was unnecessary. But it is a good idea to routinely reset account passwords, especially for services like email, social networks, and streaming sites.
As for the fine, it’ll be interesting to see whether Meta contests it. Whatever the case, $101.8 million is a drop in the bucket compared to the billions Meta makes from online ads.