We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Meta Fined €91M for Storing Passwords in Plaintext

Meta Fined €91M for Storing Passwords in Plaintext
Anka Markovic Borak Published on 4th October 2024 Writer and Quality Assessor

Ireland’s Data Protection Commission (DPC) has fined Meta €91 million for storing millions of user passwords in plaintext. The issue prompted a regulatory investigation into Meta’s adherence to the General Data Protection Regulation (GDPR).

Meta found in January 2019 that it had maintained several hundred million account passwords in an unencrypted format, affecting mostly Facebook Light users, a version of the app designed for regions with limited internet access. Tens of millions of other Facebook accounts were also affected, along with Instagram accounts, although to a lesser degree.

Meta made the issue public in March 2019, stating that it had detected the flaw during a routine cybersecurity review. Although there was no evidence that the data was accessed by unauthorized individuals, the discovery prompted immediate notification to the DPC.

Meta Platforms Ireland Limited, the company’s EU headquarters, operates under the jurisdiction of the DPC, which launched a formal investigation in April 2019. The probe found that Meta had breached four GDPR provisions concerning data protection and breach notification. The DPC determined that Meta had failed to implement appropriate technical measures to secure user passwords and had not adequately documented or reported the breach in accordance with GDPR guidelines.

Two of the violated GDPR provisions focused on how companies must respond to personal data breaches. For example, the GDPR requires organizations to notify authorities of a breach within 72 hours, a measure Meta was found to have neglected. Additionally, Meta had not thoroughly documented the breach as required. The other two GDPR provisions stipulated that Meta did not implement sufficient security measures to protect user data.

In a statement, Meta emphasized that the issue was identified and corrected as part of its 2019 security review. This fine follows previous penalties against Meta in Europe, including a €405 million fine in 2022 for failing to protect children's privacy on Instagram, and a staggering €1.2 billion fine for improper transfer of EU user data to the United States.

About the Author

Anka Markovic-Borak is a writer and quality assessor at vpnMentor, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching vpnMentor's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address