The European Union’s lead privacy regulator imposed a 91 million euro ($101.5 million) fine on Meta on Friday for not properly securing some users’ passwords.
This issue, uncovered during a security audit in 2019, involved storing passwords in ‘plaintext’ format, a method that fails to provide essential protection or encryption.
The investigation, initiated five years ago after Meta reported the issue to Ireland’s Data Protection Commission (DPC), determined that although the passwords were not disclosed to external parties, the potential for misuse was significant. “Storing user passwords in plaintext poses substantial risks,” stated Irish DPC Deputy Commissioner Graham Doyle.
In response, a Meta spokesperson emphasized that the company promptly corrected the mistake once it discovered and confirmed there was no evidence of misuse or unauthorized access to the passwords. Furthermore, Meta has been actively cooperating with the DPC throughout the inquiry.
Based in Ireland, the DPC serves as the primary EU regulator for several leading U.S. tech companies because their EU operations are located there. Meta has accumulated fines totalling 2.5 billion euros for various breaches under the General Data Protection Regulation (GDPR) since its enactment in 2018. This includes a record 1.2 billion euro fine in 2023, which Meta is currently appealing.
