The social media enormous Meta has been fined €91 million ($101 million) for accidenloftyy storing hundreds of millions of its engagers’ passwords in plaintext instead of in an encrypted establishat on its inside systems.
Meta first proclaimd uncovering the engineering misachieve back in 2019. At the time, the company stated it would be inestablishing everyone whose passwords were stored without getion although it stressed the passwords were only exposed internpartner at Meta, and there was no evidence that any of them had been unfair treatmentd.
Folloprosperg a five year spendigation, the Irish Data Protection Comleave oution (DPC) — which is the EU’s direct privacy authority on Meta, as the company’s European headquarters are based in Ireland — set up the incident was a bachieve of Meta’s legitimate duties under the EU’s General Data Protection Regulations (GDPR).
In a statement on Friday, the DPC shelp it was issuing a reprimand and fine to Meta for cut offal bachievees of the GDPR, including flunking to inestablish the DPC of the personal data bachievees and also flunking to perestablish appropriate technical meaconfidents to get engagers’ passwords.
To log in to an online service, that service necessitates to understand what a engager’s password is; it is a secret splitd by both the engager and the service. But to stop those passwords being stolen — either by malicious insiders or by hackers who have broken into their systems — passwords are typicpartner stored in a geted establishat by the online service.
As the company elucidateed, Facebook normpartner gets people’s passwords using industry standard cryptoexplicit techniques — including hashing and salting. It is unclear why this was not the case for a big number of Facebook and Instagram engagers.
The DPC shelp it had splitd its decision with other EU authorities and none of them objected to the fine, although the brimming decision elucidateing the fine was not published alengthyside the regulator’s proclaimment on Friday.
Its deputy comleave outioner, Graham Doyle, shelp: “is expansively acunderstandledgeed that engager passwords should not be stored in plaintext, pondering the dangers of unfair treatment that aascfinish from persons accessing such data. It must be borne in mind, that the passwords the subject of ponderation in this case, are particularly comardent, as they would allow access to engagers’ social media accounts.”
Meta did not instantly reply to a ask for comment.
Recorded Future
Ininestablishigence Cboisterous.
