Facebook Fined for Password Failure

John Lister's picture

Facebook's parent company has been fined the equivalent of $100 million for storing user passwords in plain text. Failing to encrypt the passwords breached Europe's General Data Protection Regulation (GDPR).

Meta, which runs Facebook and Instagram, broke the rules despite there being no evidence that anyone accessed the passwords without authorization or that anyone was then able to access accounts.

Delay In Coming Clean

The company was found to have breached the GDPR on four counts. Two involved failing to adequately secure personal data, one involved not properly documenting these failures (which were classed as a personal data breach) and one involved not telling data regulators about the failure quickly enough.

Storing password databases in plain text is considered incredibly poor security practice even if its not an immediate risk in itself. That's because if somebody was able to access the database without authorization (either through an external hack or through unauthorized access within the company), they would not need to spend any time decrypting the passwords.

The fine of €91 million came from the Data Protection Commission in Ireland where Meta does much of its European data processing. It said that "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts." (Source: dataprotection.ie)

Drop in the Ocean

Whether the fine is excessive or will have enough of a deterrent is a matter of opinion and may depend on whether you take into account Meta's finances. Based on its most recent financial reports, it's the same amount in makes in profit in just 16 hours.

The same data regulator previously fined Meta more than a billion dollars for a previous breach of the GDPR. In that case, Meta had failed to follow rules for transferring data between Europe and the United States which are designed to make sure personal data is protected to the same standards in both places. (Source: bbc.co.uk)

What's Your Opinion

Is the fine appropriate? Does it make a difference that the passwords were for social media accounts? Should businesses have to follow data protection rules or should it be up to customers to "vote with their feet"?

Rate this article: 
Average: 4.7 (3 votes)

Comments

Dennis Faas's picture

On a slightly unrelated note:

Due to a Facebook vulnerability, my Facebook account has been permanently disabled even though I did nothing wrong.

A bot managed to link its Instagram account to my Facebook account without my permission, linked my credit card to another Facebook account, purposely got my Facebook banned, then charged my credit card $25 in Meta ad fees. Luckily I was able to stop any more money coming out through PayPal. I was later able to dispute and file a chargeback.

The real kicker in all this is that the only option to get my account back was to login to the Instagram account that caused the ban in order to dispute. Since I don't own the Instagram account, there is literally no other way to contact Facebook in this matter. I lost 10+ years of having a Facebook account, content, and all contacts.

I hope Facebook gets sued for billions and billions of dollars because of it.

There are literally HUNDREDS of complaints on reddit about this and has been a known vulnerability as far back as May 2023. Facebook definitely knows about it and chooses to do nothing about it.

https://siliconangle.com/2023/05/28/facebook-users-lose-accounts-due-unknown-linked-spam-instagram-accounts/

Fuck Facebook!

beach.boui's picture

My wife's Facebook account, which she had for 15+ years, apparently was hacked and resulted in being disabled. Somehow, Facebook decided she, at 63 years old, was underage and didn't follow Facebook rules, or something like that. Facebook said she could dispute the issue to recover the account. But all the instructions to dispute the matter just went in a useless loop, never being able to file a dispute. It was utterly and completely impossible to do as the instructions required. I spent hours researching how to file a dispute. Wasted time. It all led back to the same place... Nowhereville. She was a very active Facebook user. She had contacts, both casual and professional, all lost.

nate04pa's picture

I have never established any social media accounts. No Facebook, Instagram, Tik Tok, etc. I have no regrets and do not think I am missing out on anything really important.

I do know that anything you put on one of these sites will never go away. Too many people can access it and repost or forward so that even if YOU delete it, it is still out there.

ronangel1's picture

The one thing about Facebook is that if you break a rule you did not know existed and have your account suspended, it is impossible to contact them via email to get it corrected. After the account is no longer working. This also applies if trying to contact via another account about the matter this is a bad situation if the matter is a financial one.At least we are not paying for the account!