Across Facebook and Instagram, Meta has been storing more than half a billion users' passwords in plain text, with some easily readable for more than a decade.
One of Facebook/Meta's headquarters
The issue was first uncovered in 2019 when Facebook admitted to "hundreds of millions" of passwords being stored unencrypted. Facebook, now Meta, said that the passwords were not available outside of the company -- but also admitted that around 2,000 engineers had made about 9 million queries on that user database.
Now Meta's operation in Ireland has finally been fined $101.5 million after a five-year investigation by the Irish Data Protection Commission (DPC). The fine is levied under Europe's stringent General Data Protection Regulation (GDPR).
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered.
What users were affected
Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union.
It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.
Also, Meta is separately appealing a 2023 DPC ruling regarding GDPR which does potentially include US data. According to MoneyCheck, Meta was reportedly fined $1.3 billion for infringing data protection regulations concerning the transfer of user data between the EU and the US.
It's also not known how Meta has presumably revamped its security, only that at least some passwords were stored unencrypted from 2012.
The ruling against Meta follows years of different privacy and security scandals involving Facebook. Shortly before this issue first surfaced, Facebook was being investigated by federal authorities over data sharing with other companies, most notoriously including Cambridge Analytica.