EU Fines Meta €91 Million for Unsecured Password Storage

The lead privacy regulator of the European Union imposed a 91-million-euro ($101.5 million) fine on social media giant Meta on Friday for accidentally storing some users’ passwords without adequate protection euros over password storage or encryption.

The investigation began five years ago after Meta informed Ireland’s Data Protection Commission (DPC) that it had stored some passwords in an unsecured format known as ‘plaintext.’

Meta acknowledged the issue publicly at the time, and the DPC confirmed that the passwords were not exposed to any external parties.

“It is widely recognized that storing user passwords in plaintext is unacceptable due to the potential for misuse if the data is accessed,” stated Graham Doyle, Deputy Commissioner of the Irish DPC.

Also Read: Meta declines immediate entry into EU AI Pact

A Meta representative stated that the company took swift action to address the problem when it was discovered during a 2019 security review, and noted that there is no evidence of passwords being misused or improperly accessed. The spokesperson added that Meta cooperated fully with the DPC throughout the investigation.

The DPC serves as the main EU regulator for many major U.S. tech companies due to the location of their EU headquarters in Ireland.

Meta has so far been fined a cumulative 2.5 billion euros for violations under the EU’s General Data Protection Regulation (GDPR), which came into effect in 2018. This includes a record 1.2 billion euro fine in 2023, which Meta is currently contesting.