Irish Watchdog Slaps Major Fine on Meta for Storing Passwords in Plain Text

Meta Platforms Ireland Limited (MPIL) has been fined €91 million by the Irish Data Protection Commission (DPC) for storing hundreds of millions of users’ passwords in plain text.

According to the Irish watchdog, such storage directly violated data protection laws. The issue surfaced in 2019 during a routine security audit and involved Meta storing unencrypted passwords on its internal systems.

DPC’s Decision Stemmed From 5-Year-Old Security Issue

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” reads Meta’s security advisory. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”

Although Meta reported no evidence of internal abuse, the sheer scale of the incident—involving millions of Facebook Lite and Instagram users—raised serious concerns.

Investigation Led to Reprimand and €91 Million Fine

After Meta disclosed the breach, the DPC launched an investigation culminating in a formal reprimand and a hefty fine.

“The Data Protection Commission (DPC) has today announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL),” reads the Commission’s statement. “This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).”

European data protection authorities backed the DPC’s decision, highlighting the critical need for robust internal security measures, especially for highly sensitive data like passwords.

Meta Fixed the Issue and Notified Affected Users

Meta has since addressed the flaw and notified affected users. However, the DPC’s decision, motivated by the severity of the issue, seems to have sent a warning to tech giants that data privacy and GDPR compliance are not to be trifled with.

Although the DPC’s decision is not final, the watchdog promised to release its full decision and further details on the case at a later date.