Meta has been fined $101 million by Ireland’s Data Protection Commission for storing hundreds of millions of user passwords in plaintext and making them available to company employees. The fine is the latest in a series of penalties imposed on Meta for violating EU data protection regulations.
In 2019, Meta disclosed the lapse in its security practices, stating that an error was found during a routine review of its internal network data storage practices. However, this explanation did not address concerns about the risks associated with storing user passwords in plaintext.
According to best practices, hashing passwords is considered essential for protecting sensitive information. Hashing involves passing passwords through a one-way cryptographic algorithm that generates a unique string of characters. This process makes it virtually impossible to convert the hash back into plaintext without significant computational resources and time.
Meta’s use of plaintext passwords instead of hashed versions was criticized by experts, who pointed out that this approach leaves users vulnerable to hacking and abuse. “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission.
The commission has been investigating Meta’s handling of user passwords since 2019 and has imposed a total fine of over $2.23 billion on the company for violating EU regulations, including last year’s record $1.34 billion fine that Meta is currently appealing.
Source: https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/