Meta Fined for Password Security Breach

Dublin (Reuters) – The lead European Union privacy regulator fined social media giant Meta €91 million ($101.5 million) on Friday for inadvertently storing some users’ passwords without protection or encryption.

The inquiry was opened five years ago after Meta notified Ireland’s Data Protection Commission (DPC) that it had stored some passwords in ‘plaintext’. Meta publicly acknowledged the incident at the time and the DPC stated that the passwords were not made available to external parties.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Irish DPC Deputy Commissioner Graham Doyle in a statement.

The DPC is the lead EU regulator for most of the top U.S. internet firms due to the location of their EU operations in the country.

So far, it has fined Meta a total of €2.5 billion for breaches under the bloc’s General Data Protection Regulation’s (GDPR), introduced in 2018, including a record €1.2 billion fine in 2023, which Meta is appealing.

($1 = 0.8966 euros)