Meta has been hit with a $101 million fine by Ireland’s Data Protection Commission (DPC) for storing Facebook and Instagram passwords in plaintext, a violation of the EU’s GDPR.
The issue dates back to 2019, when Meta discovered that user passwords were being stored in an unencrypted format on internal servers. Although only Meta employees had access to these servers, the company reported that up to 20,000 employees could have potentially accessed the passwords.
The DPC found that Meta failed to implement proper security measures and did not notify regulators of the breach within the mandatory 72-hour window. While Meta claimed it promptly fixed the issue after discovering it during a routine security review, the DPC concluded that the company had violated data privacy laws by failing to adequately protect user information.
Meta stated that there was no evidence of the passwords being misused or improperly accessed and has worked with the DPC throughout the investigation. The company has not confirmed if it will pay the fine, but it expressed commitment to strengthening security practices in the future. The DPC is expected to release its full decision soon.