Instagram — Enforcement

moderateAnti-PrivacySep 17, 2024 → Sep 27, 2024Enforcement

Executive Summary

The Irish DPC fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext on internal systems without cryptographic protection, violating GDPR Articles 5(1)(f) and 32(1). The inquiry followed Meta's self- report of the issue in March 2019.

Post LinkedIn Reddit Email

eu-compliance enforcement data-breach

What Happened

On September 27, 2024, the Irish Data Protection Commission fined Meta Platforms Ireland Limited €91 million for storing user passwords in plaintext without encryption on its internal systems. The inquiry was launched in April 2019 after Meta self-reported the issue in March 2019, confirming that passwords for hundreds of millions of Facebook and Instagram users were stored without cryptographic protection. The passwords were not made available to external parties, and no objections to the penalty were raised by other EU supervisory authorities.

Who Is Affected

Hundreds of millions of Facebook and Instagram users whose passwords were stored in plaintext on Meta's internal systems are affected. The source material does not specify which regions or time periods the affected users belong to, though the enforcement action was taken by the Irish regulator under EU GDPR rules.

Why It Matters

Storing passwords in plaintext violates fundamental security principles and GDPR requirements for appropriate technical measures to protect personal data. The fine demonstrates that companies must implement proper encryption for sensitive data like passwords, which could enable unauthorized access to users' social media accounts if accessed by internal personnel. This adds to Meta's growing list of GDPR penalties, including a record €1.2 billion fine in 2023 for data transfers and a €265 million fine in 2022 related to a data dump affecting over 533 million users.

What You Should Do

If you are a Facebook or Instagram user, you should change your password immediately if you have not done so since March 2019. Enable two-factor authentication on your account to add an extra layer of security beyond your password. Consider using a unique, strong password for your social media accounts that you do not reuse on other platforms.

AI-Assisted

Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.

Sources

Related Events

Instagram — Data BreachMar 21, 2019
Facebook disclosed that millions of Instagram passwords had been stored in plain...