Cpvr
Rookie Contributor
Meta has been hit with a €91M ($101M) fine after it was revealed that the company had stored up to 600 million Facebook and Instagram passwords in plain text. Some of these passwords had been accessible and unprotected as far back as 2012, and were searchable by over 20,000 Meta employees. The breach was uncovered in 2019, but it had reportedly been ongoing for seven years, according to Engadget.
Although Meta did not specify the exact number of accounts impacted, a senior employee disclosed to Krebs on Security that up to 600 million passwords were involved. Many of these had been stored in a plain text format on the company's servers since 2012, making them highly vulnerable.
Beyond the initial security lapse, Meta also failed to meet its legal obligation to report the breach in a timely manner to regulators. The Irish Data Protection Commission (DPC) found that Meta violated multiple GDPR provisions, including failing to notify the DPC of the breach without undue delay and failing to document the incident properly. The DPC also noted that Meta did not implement adequate technical measures to protect users' passwords from unauthorized access.
9to5Mac's Perspective:
A $101M fine seems relatively minor given the scale and duration of the breach. With access to email addresses and passwords, attackers could have potentially taken control of hundreds of millions of Facebook and Instagram accounts. In the case of Facebook, this would have exposed private posts intended only for close friends. Under GDPR, companies can be fined up to 4% of their global revenue for privacy violations, so there was room for a much harsher penalty. Until fines are large enough to significantly impact company leadership, privacy breaches may not be treated with the seriousness they warrant.
Source: https://9to5mac.com/2024/09/27/up-t...and-instagram-passwords-stored-in-plain-text/
Although Meta did not specify the exact number of accounts impacted, a senior employee disclosed to Krebs on Security that up to 600 million passwords were involved. Many of these had been stored in a plain text format on the company's servers since 2012, making them highly vulnerable.
Beyond the initial security lapse, Meta also failed to meet its legal obligation to report the breach in a timely manner to regulators. The Irish Data Protection Commission (DPC) found that Meta violated multiple GDPR provisions, including failing to notify the DPC of the breach without undue delay and failing to document the incident properly. The DPC also noted that Meta did not implement adequate technical measures to protect users' passwords from unauthorized access.
9to5Mac's Perspective:
A $101M fine seems relatively minor given the scale and duration of the breach. With access to email addresses and passwords, attackers could have potentially taken control of hundreds of millions of Facebook and Instagram accounts. In the case of Facebook, this would have exposed private posts intended only for close friends. Under GDPR, companies can be fined up to 4% of their global revenue for privacy violations, so there was room for a much harsher penalty. Until fines are large enough to significantly impact company leadership, privacy breaches may not be treated with the seriousness they warrant.
Source: https://9to5mac.com/2024/09/27/up-t...and-instagram-passwords-stored-in-plain-text/
