Skip to main content

Up to 600 million Facebook and Instagram passwords stored in plain text

Avatar for Ben Lovejoy  | Sep 27 2024 - 4:49 am PT
6 Comments
Facebook and Instagram passwords stored in plain text | Instagram login screen on a smartphone

Meta has been fined €91M ($101M) after it was discovered that to 600 million Facebook and Instagram passwords had been stored in plain text.

Some of those passwords had been unprotected since 2012, and were searchable by more than 20,000 Meta employees …

The security breach was discovered in 2019, but had reportedly existed for seven years, as Engadget reports.

While Meta didn’t say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company’s servers since 2012.

Not only did Meta break the law by failing to protect the passwords in the first place, but it also failed to comply with its legal obligation to promptly report the matter to the regulator once it was discovered.

The Irish Data Protection Commission (DPC)  found that Meta violated several GDPR rules related to the breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without undue delay and failed to “document personal data breaches concerning the storage of user passwords in plaintext.” It also said that Meta violated the GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.

9to5Mac’s Take

A $101M fine seems rather small for a breach of this severity over such a long period of time. With email addresses and passwords, an attacker could have taken over hundreds of millions of Facebook and Instagram accounts.

For Facebook in particular, it would have exposed posts which were deliberately limited to a small audience of close friends for privacy reasons.

Europe’s GDPR law allows companies to be fined up to 4% of their global revenue for breaches of privacy requirements, so there was scope here for a much more meaningful fine. It’s only when regulators start levying fines that will lead to senior execs losing sleep that we’ll see companies take privacy breaches with the level of seriousness they deserve.

Photo by Mourizal Zativa on Unsplash

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Facebook

Facebook

Facebook is the most popular social media servic…
Instagram

Instagram

Instagram is a social media service owned by Fac…
Meta

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear

Dell 49-inch curved monitor

Dell 49-inch curved monitor

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications