Excerpt from The Hacker News Article, Published on Sep 30, 2024.

Meta, the parent company of Facebook and Instagram, has been fined €91 million ($101.56 million) by the Irish Data Protection Commission (DPC) following a 2019 investigation into a significant security mishap. The social media giant was found to have stored millions of users’ passwords in plaintext, violating key provisions of the European Union’s General Data Protection Regulation (GDPR).

The investigation, which began after Meta disclosed the error in March 2019, uncovered several violations of GDPR, including the failure to implement appropriate technical safeguards to protect sensitive user data. Additionally, Meta did not promptly report the breach to the DPC and failed to adequately document the breach involving the storage of plaintext passwords.

Although Meta initially reported that the security lapse involved a subset of Facebook users’ passwords, further revelations indicated that millions of Instagram passwords were also affected. The company, however, maintained that there was no evidence of unauthorized access or misuse of the exposed credentials.

According to reports from Krebs on Security, some of the stored passwords date back as far as 2012, with internal records showing that approximately 2,000 engineers or developers made nine million internal requests that involved access to plaintext passwords.

Graham Doyle, deputy commissioner at the DPC, emphasized the seriousness of the incident: “Storing passwords in plaintext is an unacceptable risk, as it exposes users to potential misuse of their social media accounts. The sensitivity of these passwords cannot be overstated.”

Meta responded to the findings by stating that it took “swift action” to correct the issue and had “proactively flagged the error” to the DPC. This fine serves as a stern reminder of the stringent requirements of GDPR and the critical importance of securing user data in today’s digital landscape.

To delve deeper into this topic, please read the full article on The Hacker News.