The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented.
Learn more
The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Meta Fined €91M for Storing Passwords in Plaintext

Meta Fined €91M for Storing Passwords in Plaintext
Author Image Anka Markovic Borak
Anka Markovic Borak First published on October 04, 2024 Writer and Quality Assessor

Ireland’s Data Protection Commission (DPC) has fined Meta €91 million for storing millions of user passwords in plaintext. The issue prompted a regulatory investigation into Meta’s adherence to the General Data Protection Regulation (GDPR).

Meta found in January 2019 that it had maintained several hundred million account passwords in an unencrypted format, affecting mostly Facebook Light users, a version of the app designed for regions with limited internet access. Tens of millions of other Facebook accounts were also affected, along with Instagram accounts, although to a lesser degree.

Meta made the issue public in March 2019, stating that it had detected the flaw during a routine cybersecurity review. Although there was no evidence that the data was accessed by unauthorized individuals, the discovery prompted immediate notification to the DPC.

Meta Platforms Ireland Limited, the company’s EU headquarters, operates under the jurisdiction of the DPC, which launched a formal investigation in April 2019. The probe found that Meta had breached four GDPR provisions concerning data protection and breach notification. The DPC determined that Meta had failed to implement appropriate technical measures to secure user passwords and had not adequately documented or reported the breach in accordance with GDPR guidelines.

Two of the violated GDPR provisions focused on how companies must respond to personal data breaches. For example, the GDPR requires organizations to notify authorities of a breach within 72 hours, a measure Meta was found to have neglected. Additionally, Meta had not thoroughly documented the breach as required. The other two GDPR provisions stipulated that Meta did not implement sufficient security measures to protect user data.

In a statement, Meta emphasized that the issue was identified and corrected as part of its 2019 security review. This fine follows previous penalties against Meta in Europe, including a €405 million fine in 2022 for failing to protect children's privacy on Instagram, and a staggering €1.2 billion fine for improper transfer of EU user data to the United States.

About the Author

  • Author Image Anka Markovic Borak
  • Anka Markovic Borak Writer and Quality Assessor

Anka Markovic-Borak is a writer and quality assessor at The How To Guide, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching The How To Guide's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address