Facebook's parent company Meta fined over VND2,500 billion for leaking user passwords

The issue, discovered and reported by Meta in 2019, affected hundreds of millions of users across Meta platforms.

Ireland's Data Protection Commission fined Facebook parent company Meta $102 million yesterday, following an investigation that began in 2019. At the time, Meta informed regulators that it had accidentally stored some passwords in plain text without encryption.

The DPC investigation found that Meta breached certain obligations under the European General Data Protection Regulation in encrypting user passwords for a particular service.

"GDPR requires data controllers to implement appropriate security measures for personal data, taking into account possible risks. To ensure the security of user information, data controllers must assess the potential risks in their operations and take measures to mitigate those risks," the GDPR announcement said.

A Meta spokesperson explained to CyberScoop that the company discovered that “a small number” of Facebook user passwords were only “temporarily stored in a readable format in our internal data systems.” The company “took immediate action to fix the issue and there is no evidence that these passwords were misused or improperly accessed.”

The company “proactively reported this issue” to the DPC “and we have been actively engaging with them throughout the investigation,” a Meta spokesperson added.

In a March 2019 statement posted on the company's website, Pedro Canahuati, Meta's vice president of engineering, security and privacy, said the company discovered and fixed the issue, then notified hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users about the issue.

An April 2019 update said that Meta had discovered additional Instagram password records stored in a readable format, affecting millions of Instagram users.