Meta faces consequences for storing millions of passwords in plaintext

Meta faces consequences for storing millions of passwords in plaintext

Meta has been fined $101 million by Ireland’s Data Protection Commission for storing hundreds of millions of user passwords in plaintext. We don’t really need to point the obvious, that storing passwords in plaintext is major violation of security best practices.

Disclosed by Meta in 2019, it was then revealed that passwords for various Meta-owned platforms were logged in plaintext and stored in a searchable database. This database had been queried a lot roughly by more than 2,000 company engineers.

While Meta assured that there was no evidence of improper internal access or external exposure, it remains just that.

Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission, noted:

It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,

Doyle said.

It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.

Mitigations?

Not many options remain, other than hoping that the billion-dollar app is at least hashing your password.

One solid mitigation plan, aside from using two-factor authentication, is to avoid reusing the same password for multiple services. It’s better to “set and forget” by recovering passwords when necessary or using a reliable password manager.

Overall, the best mitigation plan is “hopium“. Hoping two-factor authentication won’t be hacked, hoping password managers aren’t vulnerable, or at least patched quickly.

Source

image by rawpixel.com on Freepik