# Meta Penalized $101 Million for Keeping User Passwords in Plaintext: A Significant Security Failure
## Introduction
In a notable regulatory decision, authorities in Ireland have levied a substantial fine of $101 million (91 million euros) on Meta, the parent entity of Facebook, Instagram, and WhatsApp, for maintaining hundreds of millions of user passwords in plaintext. This security oversight, which was revealed by Meta in 2019, uncovered a serious flaw in the company’s data security measures, leading to worries about user information safety and the effectiveness of internal security practices. The penalty is part of a larger investigation by the European Union (EU) into Meta’s data management under the General Data Protection Regulation (GDPR).
## The 2019 Revelation: A Significant Security Oversight
Meta disclosed the problem for the first time in early 2019, admitting that user passwords for several Meta-operated social networks were kept in plaintext in a database. This database was accessible to around 2,000 company engineers, who collectively accessed the password trove over 9 million times. Though Meta asserted that there was no proof of unauthorized access or password misuse by staff or outside parties, the extensive scope of exposure raised serious concerns.
This incident underscored a blatant shortcoming in Meta’s internal security practices, as storing passwords in plaintext is generally regarded as a critical breach of cybersecurity principles. For years, the conventional method for password storage has involved cryptographic hashing, a technique that converts plaintext passwords into a secure, irreversible format.
## What is Cryptographic Hashing?
Cryptographic hashing is a technique employed to safeguard passwords by transforming them into a fixed-length series of characters, referred to as a hash. This process is one-directional, indicating that once a password is hashed, it cannot be reverted to its original plaintext form. Hashing guarantees that even if a password database is breached, the attacker would still have to invest substantial computational power to deduce the original passwords.
### Why Hashing is Important
The main objective of hashing is to shield user passwords from being readily accessed or exploited by malicious entities. In case of a data breach, hashed passwords offer an extra layer of security, since attackers would need to undertake a lengthy process of guessing and comparing potential passwords to match the stored hashes. This procedure, known as “cracking,” can demand a significant amount of time and computational resources, particularly when the hashing algorithm is crafted to be slow and resource-demanding.
### Best Practices for Hashing
For hashing to be effective, several best practices should be adhered to:
1. **Utilization of Secure Hashing Algorithms**: Algorithms like MD5 and SHA1, designed for rapid performance, are no longer deemed secure for password hashing. Instead, algorithms such as Bcrypt, PBKDF2, and SHA512crypt come highly recommended, as they are deliberately slow and require considerable computational resources, complicating the task for attackers attempting to crack passwords.
2. **Applying Salting**: Salting entails adding a random string of characters (the “salt”) to the password prior to hashing it. This practice ensures that even if two users share the same password, their hashes will differ. Salting further elevates the difficulty of cracking passwords by compelling attackers to guess each password individually rather than relying on pre-computed hash tables (known as rainbow tables).
3. **Avoid Storing Passwords in Plaintext**: The paramount objective is to guarantee that passwords are never recorded in plaintext. This measure prevents both internal personnel and external adversaries from easily obtaining user credentials.
## Meta’s Shortcoming in Securing Passwords
In spite of these well-documented best practices, Meta did not adequately safeguard hundreds of millions of user passwords. The company’s internal security audit in 2019 disclosed that passwords were recorded in plaintext, rendering them susceptible to exploitation by anyone with database access. While Meta reassured the public that no evidence of unauthorized access was found, the incident unveiled a considerable shortfall in the company’s data protection strategies.
### The Regulatory Reaction
The Irish Data Protection Commission (DPC), which acts as the primary EU regulator for numerous U.S.-based technology firms, initiated an inquiry into Meta’s user password management soon after the 2019 revelation. The DPC’s deputy commissioner, Graham Doyle, underscored the gravity of the breach, stating, “It is widely acknowledged that user passwords should not be stored in plaintext, given the risks of abuse that arise from individuals accessing such information.”
The DPC’s investigation led to a $101 million fine, which was announced this week. The penalty is part of an ongoing trend of regulatory measures against Meta under the GDPR, which was implemented in 2018. Thus far, Meta has incurred fines exceeding $2.23 billion (2 billion euros) for various GDPR infractions, including a record penalty of $1.34 billion (1.2 billion euros) in 2022 for transferring EU user data to the United States in contravention of privacy laws.
## The Significance of GDPR in Data
