Meta fined €91 million for storing passwords in plain text – a GDPR compliance warning
Meta was fined €91 million by Ireland’s Data Protection Commission for storing user passwords in plain text, violating multiple GDPR provisions and highlighting the critical need for proper encryption and data‑security measures in large‑scale online services.
Recently, Ireland’s Data Protection Commission (DPC) imposed a record fine of €91 million (approximately ¥7.14 billion) on Meta for storing user passwords in clear text without any protective or encryption measures.
Meta acknowledged that, in addition to hundreds of millions of Facebook Lite users, tens of millions of other Facebook and Instagram users were affected; although there is no evidence yet of abuse, the risk is significant.
The DPC identified multiple GDPR violations: Article 5(1)(f) – integrity and confidentiality; Article 32(1) – security of processing; Article 33(1) – breach notification; and Article 33(5) – breach documentation, all breached due to the lack of encryption and delayed disclosure.
Storing passwords in plain text is a fundamental security failure: passwords are normally hashed before storage, making the original value unrecoverable, and users can only reset forgotten passwords rather than retrieve them.
This €91 million penalty serves as a stark reminder to the entire industry that proper encryption and robust data‑protection practices are non‑negotiable for companies handling billions of users’ sensitive data.
Top Architecture Tech Stack
Sharing Java and Python tech insights, with occasional practical development tool tips.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.