Getting your Trinity Audio player ready...
|
Facebook stored hundreds of millions of user passwords in plain text for years

NYC Social Media Expert Kris Ruby was recently on Fox News discussing Facebook’s latest security breach. Click here to watch the full segment.
Another day, another Facebook crisis, says social media expert Kris Ruby.
Facebook is far more focused on turning data to advertising revenue than they are with user security and privacy. This has created a massive data security loophole for bad actors to exploit, said Kris Ruby, Ruby Media Group CEO.
Hundreds of millions of Facebook users did not know that their passwords were sitting in plain text in the company’s data storage system, potentially leaving them vulnerability to employee misuse and cyberattacks for years.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.” – Pedro Canahuati, VP Engineering, Security and Privacy, Facebook
The GDPR, which came into force in 2018, holds companies to high standards when it comes to protecting Europeans’ privacy. As part of the rules, companies operating in the region must be proactive in ensuring that they’re transparent about any potential privacy problems they discover. Meta reported the problem when it made the discovery.
“As part of a security review in 2019, we found that a subset of Facebook users’ passwords were temporarily logged in a readable format within our internal data systems,” a spokesperson for the company said. “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”
“The Facebook source said the investigation indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.”
Facebook stored passwords for hundreds of millions of users in plain text, exposing them for years to anyone who had internal access to the files, according to Krebs on Security. User passwords are typically protected with encryption (a process known as hashing), but a string of errors led certain Facebook-branded apps to leave passwords accessible to as many as 20,000 company employees.
Between 200 million and 600 million Facebook users are believed to have been affected, according to Krebs, which first reported the security flaw. Facebook confirmed the issue in a blog post, titled “Keeping Passwords Secure,” and it said the company identified the problem in January as part of a security review. Facebook says it has fixed the issue and will notify everyone affected.
Facebook and Instagram passwords were stored in plaintext.
Meta fined $102 million for breaking Europe’s strict privacy rules.
TL; DR: Social Media companies must prioritize user privacy and data security. Meta failed to put privacy protections in place years earlier to secure social media passwords. Report revealed Facebook accidentally stored social media passwords in plain text.
The Irish Data Protection Commissioner, which is in charge of ensuring Meta abides by Europe’s General Data Protection Regulation, issued the fine following a five-year investigation, dating back to 2019, when social media expert Kris Ruby first reported on the breach news in a live segment on Fox News.
In September 2024, Ireland’s privacy watchdog Data Protection Commission (DPC) fined Meta €91M ($101M) after the discovery in 2019 that Meta had stored 600 million Facebook and Instagram passwords in plaintext.
The DPC ruled that Meta was in violation of GDPR on several occasions related to this breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without delay, and failed to “document personal data breaches concerning the storage of user passwords in plaintext.”
The DPC also said that Meta violated GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
In 2019, several sources said more than 600 million password were freely accessible to employees at Facebook. Most of these passwords belonged to Facebook Lite users, but it affected other Facebook and Instagram users as well.
“Facebook found out that it logged the passwords in plaintext by mistake during a code review.”
In 2024, The Data Protection Commission (DPC) announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL). This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).
The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR.
The decision, which was made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, includes a reprimand and a fine of €91million.
The DPC’s Decision records the following findings of infringement of the GDPR:
- Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
- Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
- Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and
- Article 32(1) GDPR, because MPIL did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
Deputy Commissioner at the DPC, Graham Doyle said, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
TIP: User passwords should not be stored in plaintext.
SOCIAL MEDIA PRIVACY TIPS
Securing Your Account on Facebook
Use Strong, Unique Passwords
Employ robust passwords and change them regularly.
A strong password is your first line of defense against unauthorized access. Utilize a mix of upper and lower-case letters, numbers, and special characters. Consider using a reputable password manager to keep track of your credentials securely.
Enable Two-Factor Authentication (2FA)
Take proactive steps to protect your devices and personal data.
Two-factor authentication adds an extra layer of security by requiring not just a password but also a second form of identification. This could be a code sent to your phone or an authentication app, making it significantly harder for cybercriminals to gain access to your accounts.
Keep your account secure
Steps you can take to keep your account secure
- You can change your password in your settings on Facebook and Instagram.
- Avoid reusing passwords across different services.
- Pick strong and complex passwords for all your accounts.
- Password manager apps are another layer of privacy protection.
- Enable a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app.
- Sign up to receive alerts about unrecognized logins.
FACEBOOK ON USER SECURITY AND PRIVACY:
- “We use a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, we will treat it differently if we detect that it is being entered from an unrecognized device or from an unusual location. When we see a suspicious login attempt, we’ll ask an additional verification question to prove that the person is the real account owner.”
- “Knowing some people reuse passwords across different services, Facebook keeps a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. We check if stolen email and password combinations match the same credentials being used on Facebook. If we find a match, we’ll notify you next time you login and guide you through changing your password.”
- To minimize the reliance on passwords, Meta introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Facebook Settings and Privacy
How do I protect my privacy on Facebook?
Want to limit data collection by Meta? Keep reading…
How to Change Privacy Settings on Facebook
As a social media expert, I frequently get asked how to manage privacy settings on Facebook for maximum protection and security. It’s essential to stay informed about how to protect your personal information. Whether you want to limit who sees your posts, control data sharing with third-party apps, or secure your account, this social media privacy guide will walk you through the key steps to adjust your Facebook privacy settings.
Your privacy settings determine who can see your posts, tag you, send you friend requests, and access your personal data. With growing concerns about data security, taking control of your settings is crucial to safeguarding your online presence.
Step-by-Step Guide to Changing Facebook Privacy Settings
Access Facebook’s Privacy Settings
- Open Facebook and click on your profile picture in the top-right corner.
- Select “Settings & Privacy”, then choose “Settings”
- Click on “Privacy” in the left-hand menu.
Adjust Your Privacy Preferences
Under the Privacy Settings and Tools section, you can modify key settings such as:
- Who can see your future posts?– Change this to “Friends” or “Only Me” for more privacy.
- Review posts you’re tagged in before they appear on your profile? – Turn this feature on to approve tags before they go live.
- Who can look you up using your email or phone number?– Restrict this to “Friends” or “Only Me” to prevent strangers from finding you.
Control Your Timeline and Tagging Settings
- Go to “Timeline and Tagging” in the Settings menu.
- Adjust who can post on your timeline and who can see posts you’re tagged in.
- Enable the review feature for tags to avoid unwanted mentions.
Manage Access To Third-Party Apps and Websites
- Navigate to “Apps and Websites” in the Settings menu.
- Remove any apps that no longer need access to your Facebook data.
- Disable data sharing with third-party advertisers where possible.
Secure Your Account with Two-Factor Authentication
- Go to “Security and Login” settings.
- Turn on Two-Factor Authentication (2FA) for added security.
- Check where you’re logged in and remove any unrecognized devices.
Limit Ad Tracking and Data Collection
- Click on “Ad Preferences” under Settings.
- Adjust how Facebook personalizes ads based on your activity.
- Turn off “Data Sharing with Partners” to reduce targeted advertising.
Regularly reviewing and updating your Facebook privacy settings ensures that you maintain control over your personal data and online interactions. As privacy concerns evolve, Facebook may update its settings, so make it a habit to check your privacy preferences periodically.
For more social media insights, follow Ruby Media Group for expert strategies on digital privacy and online reputation management.
Enterprise Privacy Protection & Cybersecurity Consulting Services | Ruby Media Group
Privacy As a Service
Companies can learn from Meta’s privacy blunder. This incident underscores an urgent need for vigilance and strengthened defense mechanisms against cyber threats. Not all threats are intentional, and some are accidental and due to careless oversight.
Understanding the dynamics cybersecurity infrastructure hardening adds a layer of urgency and complexity to global cybersecurity discourse. It is essential for technology companies, governments, and corporations to create comprehensive cybersecurity strategies to safeguard against evolving threats in an AI powered cyber landscape. As the threat evolves and landscape changes, your company must be prepared for any attack that can emerge.
Has your company failed to meet its obligation to guarantee customers have appropriate privacy and security? If not, you may be at risk for regulatory action. Need help implementing best in class cybersecurity solutions? Ruby Media Group can help. We can help executives find compromised passwords and harden your digital fortress to protect your company from challenging threats that leave you open to attack.
Remember, cybersecurity is not a destination but an ongoing journey. Stay informed, stay updated, and above all, stay secure.
WATCH:
KRIS RUBY is the CEO of Ruby Media Group, an award-winning public relations and media relations agency in Westchester County, New York. Kris Ruby has more than 15 years of experience in the Media industry. She is a sought-after media relations strategist, content creator and public relations consultant. Kris Ruby is also a national television commentator and political pundit and she has appeared on national TV programs over 200 times covering big tech bias, politics and social media. She is a trusted media source and frequent on-air commentator on social media, tech trends and crisis communications and frequently speaks on FOX News and other TV networks. She has been featured as a published author in OBSERVER, ADWEEK, and countless other industry publications. Her research on brand activism and cancel culture is widely distributed and referenced. She graduated from Boston University’s College of Communication with a major in public relations and is a founding member of The Young Entrepreneurs Council. She is also the host of The Kris Ruby Podcast Show, a show focusing on the politics of big tech and the social media industry. Kris is focused on PR for SEO and leveraging content marketing strategies to help clients get the most out of their media coverage.