Facebook and Instagram passwords were stored in plaintext, Meta fined
Ireland’s privacy watchdog Data Protection Commission (DPC) has fined Meta €91M ($101M) after the discovery in 2019 that Meta had stored 600 million Facebook and Instagram passwords in plaintext.
The DPC ruled that Meta was in violation of GDPR on several occasions related to this breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without delay, and failed to “document personal data breaches concerning the storage of user passwords in plaintext.”
The DPC also said that Meta violated GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
While the DPC does not disclose the number of passwords, several sources at the time quoted internal sources at Facebook who said 600 million password were freely accessible to employees. Most of these passwords belonged to Facebook Lite users, but it affected other Facebook and Instagram users as well.
Facebook found out that it logged the passwords in plaintext by mistake during a code review.
Over the years, several data sets belonging to Facebook users have circulated on Dark Web marketplaces. We’ve seen country-specific sets for Iran, Sudan, and Hong Kong. The largest data set that is still publicly accessible contains 303,081,505 records and was shared on a Telegram channel in February 2022. The data contains email addresses, names, phone numbers and additional personal information.
In April 2021, a cybercriminal posted over half a billion scraped Facebook profiles for free on a hacking forum. The data encompassed profiles from over 100 countries and included emails, Facebook IDs, birthdays, phone numbers, and other Personally Identifiable Information (PII). Several other forums mirrored this data set.
Last February, we reported how personal data belonging to Facebook Marketplace users was published online. That leak consisted of around 200,000 records that contained names, phone numbers, email addresses, Facebook IDs, and Facebook profile information.
In 2019, a private security researcher reported finding a database with the names, phone numbers, and unique user IDs of over 267 million Facebook users. The hosting company took the database offline after a tip off from the security researcher.
Social media accounts container a lot of personal information which combined with our email addresses provides cybercriminals with information they can use to add credibility to their phishing attempts.
It’s a good idea to check what personal information of yours is out there, and for that you can use our free Digital Footprint scan. Fill in the email address you use most frequently to sign up for sites and services, and we’ll give you a free report.