Meta has been fined €91 million for incorrectly storing social media account passwords in unencrypted databases.
Meta notified the Irish Data Protection Commission it had unintentionally stored the passwords in plain text within its internal systems.
Following an inquiry in April 2019, the Irish Data Protection Commission (DPC) found that Meta had violated General Data Protection Regulation four times, and has issued the fine along with a warning for the company to improve its security structures.
Not the first time
Storing passwords in plain text is frowned upon for obvious reasons, especially as it makes them vulnerable to attackers if a data breach occurs.
This isn’t the first time the company has been fined for violating GDPR. In January 2023, Meta was hit by a €390 million fine by the DPC for serving personalized ads without the option to opt-out and its data handling practices.
Then in May 2023, Meta was fined the highest possible GDPR fine of €1.2 billion for transferring data from the EU to the US outside of GDPR guidelines. EU data remains protected by GDPR even when moved outside of the EU.
Meta was also fined €265 million by the DPC in 2022 after data that had been scraped from Facebook was leaked on a hacking forum. The leak contained the data of 533 million people across 106 countries.
Speaking on Meta’s most recent fine, DPC deputy commissioner Graham Doyle said, “It is widely accepted that user passwords should not be stored in 'plaintext' considering the risks of abuse that arise from persons accessing such data.”
"It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle concluded.
Via BBC
More from TechRadar Pro
- These are the best free password managers
- The US government wants to cut out some of its weirdest password rules
- Take a look at the best password generators