Certain social media users’ passwords were stored as “plain text” in internal systems without cryptographic protection or encryption.
On Friday, Ireland’s Data Protection Commission (DPC) fined Meta €91 million for unintentionally storing some users’ passwords without adequate protection or encryption. This was reported by Reuters and RTÉ.
The investigation began five years ago, in April 2019, when Meta notified the Irish DPC that some user passwords had been mistakenly stored as plain text in its internal systems without cryptographic protection or encryption.
The investigation revealed four violations of the EU’s General Data Protection Regulation (GDPR).
Meta publicly acknowledged the incident, stating that during a routine security review in 2019, it found that a subset of Facebook user passwords had been temporarily stored in readable format within its internal data systems.
The company took immediate action to fix the error after discovering it, and there was no evidence of password misuse. The DPC also confirmed that the passwords were not exposed to external parties.
In June, the DPC submitted its proposed fine to other European data protection authorities, and no objections were raised. The decision was then communicated to Meta.
EU’s Main Regulator
“It is generally accepted that user passwords should not be stored in plain text due to the risks of misuse,” said Graham Doyle, a DPC official in Ireland.
Meta cooperated constructively with the DPC throughout the investigation, a spokesperson said on Friday.
The DPC serves as the EU’s main regulator for most major U.S. internet companies, as many have chosen Ireland as their European headquarters.
To date, Meta has been fined a total of €2.5 billion in the EU for GDPR violations since the regulation was implemented in 2018, including a record €1.2 billion fine in 2023, which Meta has appealed.
