Meta Stored Europeans’ Passwords in Cleartext — Fined €91 Million

The EU’s privacy regulator has fined Meta (the owner of Facebook) €91 million for inadvertently storing some users’ passwords without protection or encryption.

The investigation into the incident began about five years ago, when Meta notified the Irish Data Protection Commission (DPC) that it had stored some users’ passwords in unencrypted form. The investigation found that no third parties had access to user data.

A Meta spokesperson said the company took immediate action to correct the situation once the incident was identified during a security audit in 2019. He added that there was no evidence that passwords were misused or that anyone had unauthorized access to them. Meta noted that the company had been constructively engaged with the DPC throughout the investigation.

The Irish Data Protection Commission is the lead EU regulator for most of the largest US internet companies due to the fact that their EU operations are typically conducted through Ireland.