Meta Fined for Logging Passwords
Alexander Martin (via Hacker News):
The social media giant Meta has been fined €91 million ($101 million) for accidentally storing hundreds of millions of its users’ passwords in plaintext instead of in an encrypted format on its internal systems.
Meta first announced discovering the engineering mistake back in 2019. At the time, the company stated it would be notifying everyone whose passwords were stored without protection although it stressed the passwords were only exposed internally at Meta, and there was no evidence that any of them had been abused.
Following a five year investigation, the Irish Data Protection Commission (DPC) — which is the EU’s lead privacy authority on Meta, as the company’s European headquarters are based in Ireland — found the incident was a breach of Meta’s legal duties under the EU’s General Data Protection Regulations (GDPR).
The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.
[…]
For more than three decades, best practices across just about every industry have been to cryptographically hash passwords.
Because “only” hundreds of millions of users are affected, it sounds like they were not actually storing the passwords in the database unhashed. Rather, they were probably inappropriately logging some raw request data. So it’s not that the passwords should have been hashed but that they shouldn’t have been logged. This is bad, but it seems Meta caught the problem themselves and were transparent about it. It’s unclear to me what the DPC was investigating for five years.
1 Comment RSS · Twitter
My guess is that it took the IRISH data protection Commission five years to investigate because they were buried under a mountain of tax exemption.
