Meta Stored As Many As 600 Million Facebook and Instagram Passwords in Plain Text Format

The security breach was discovered in 2019, but had reportedly existed for seven years, reports Engadget (via 9to5Mac).

While Meta didn’t say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company’s servers since 2012.

Not only did Meta fail to protect the passwords, it also failed to promptly report the matter to the regulator once it was discovered, violating several GDPR rules.

The Irish Data Protection Commission (DPC)  found that Meta violated several GDPR rules related to the breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without undue delay and failed to “document personal data breaches concerning the storage of user passwords in plaintext.” It also said that Meta violated the GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.

With as many as 600 million email addresses and passwords stored as plain text, even the most inept bad actor could have used the information to take over hundreds of millions of Facebook and Instagram accounts.

As noted by 9to5Mac, Europe’s GDPR law allows companies to be fined up to 4% of their global revenue for breaches of privacy requirements, so there was plenty of room here for a much larger fine to be levied, and considering the scope of the issue, there should have been a much greater fine. Unfortunately, officials only talk a good game when it comes to getting companies like Meta to fall in line and actually protect their users’ password and other information. The $101 million fine levied against Meta amounts to little more than a rounding error when compared to Meta’s yearly revenue.