The issue came to light in 2019 when Meta notified the Irish DPC that it had inadvertently stored a subset of Facebook users’ passwords in a readable format within its internal data systems. This discovery was made during a security review, and Meta immediately took action to rectify the error. However, the passwords had been stored in plain text on the company’s servers since as far back as 2012.
Affected Accounts and Accessibility
While Meta did not disclose the exact number of affected accounts, a senior employee indicated that up to 600 million passwords could have been involved in the breach. These passwords were not only unencrypted but also accessible to approximately 20,000 Facebook employees, although there is no evidence that the passwords were accessed or abused improperly.
Investigation and Findings
The Irish DPC, which is the lead EU regulator for Meta due to the company’s European headquarters being based in Ireland, conducted a five-year investigation into the matter. The investigation concluded that Meta had failed to meet its obligations under the General Data Protection Regulation (GDPR).
