Meta Fined $101.5M Over Facebook and Instagram Password Breach, Involves Up to 600 Million Accounts

Highlights

• Meta has been fined $101.5 million by the Irish Data Protection Commission.
• Investigation revealed Meta stored Facebook and Instagram passwords in plain text.
• Password breach reportedly impacted up to 600 million users.
• Passwords have been accessible to over 20,000 Meta employees since 2012.

Meta has been slapped with a $101.5 million (€91 million) fine by the Irish Data Protection Commission (DPC) following an investigation into a major security breach. As per a recent report in Engadget,  the breach involved Meta mistakenly storing Facebook and Instagram users’ passwords in plain text leaving them vulnerable to internal access.

This investigation first came to light in January 2019 when Meta announced that some user passwords had been stored in plain text on its servers. However, after a month, Meta admitted that millions of Instagram passwords were stored in a readable and unsecured format.

 During the previous announcement, Meta never officially confirmed how many users were impacted.

However, a senior employee told Krebs on Security that as many as 600 million passwords were involved in the breach.

Reports now claim that some of these passwords have been stored in plain text since 2012. If true, this means the passwords were accessible to over 20,000 Facebook employees.

Meanwhile, the DPC has confirmed that the passwords were not made available to outside parties.

Apart from the grave security lapse, Meta also faces criticism for failing to promptly report the breach to regulators. Companies are legally obligated under data protection laws to do so.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” DPC’s Deputy Commissioner, Graham Doyle, said in a statement.

Many industry experts have been quick to argue that a $101.5 million (€91 million) fine is small in comparison to the severity of the breach. Europe’s GDPR law allows fines of up to 4% of a company’s global revenue.

The breach of this scale put email addresses and passwords at risk. Any cyber attackers could have potentially taken control of millions of Facebook and Instagram accounts.

The incident highlights ongoing privacy concerns. Critics have been suggesting that fines need to be much higher and better policy implementation for companies to take data breaches more seriously.

FAQs

Q1. Why was Meta fined by the Irish Data Protection Commission (DPC)?

Answer. Meta was fined $101.5 million for storing Facebook and Instagram users’ passwords in plain text, making them vulnerable to internal access. The investigation revealed that up to 600 million passwords were affected.

Q2. Were Facebook passwords exposed to external parties in Meta 2019 breach?

Answer. No, the DPC confirmed that the passwords were not made available to outside parties. However, they have been accessible to over 20,000 Facebook employees since 2012.

Read More: Facebook and Instagram getting new AI tags for AI-generated content and media

Read More: Meta introduces cross-post from Instagram and Facebook to Threads

Read More: Meta enhances AI content transparency on Facebook, Instagram, and Threads