Shortly after Facebook admitted that passwords of between 200 million and 600 million users were stored in plain text on internal servers for years, the Irish Data Protection Commission has instituted an enquiry into whether Facebook was in violation of GDPR because of the way it stored passwords of millions of users.
In March, Facebook announced in a blog post that it had discovered the storage of user passwords in plain text during a security review in January this year, adding that there was no evidence of anyone improperly accessing or internally abusing such passwords.
"As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.
"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity," the company said.
Facebook's admission came shortly after a senior Facebook employee told KrebsOnSecurity that a number of employee-built applications logged unencrypted passwords of millions of Facebook users and stored them in plain text on Facebook's internal servers. Over 20,000 Facebook employees who had access to these servers could view these passwords anytime they wanted.
According to the source, around 2,000 developers or engineers "made approximately nine million internal queries for data elements that contained plain text user passwords."
Irish Data Protection Commission invokes GDPR
Yesterday, the Irish Data Protection Commission announced that it had instituted an inquiry into whether Facebook was in violation of GDPR because of the way it stored passwords of millions of users.
"The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR," it said.
"Ireland has a strong role to play in ensuring the world of social media complies with GDPR regulations, and since Canada has already found Facebook to seriously contravene its privacy laws, one would expect the Irish regulator may find it violating GDPR as well. The password leak happened post-GDPR and identity theft is a potential risk so the Irish regulator is also investigating Facebook’s use of personal data," said Anjola Adeniyi, technical leader for EMEA at Securonix.
This is the second time this year that Facebook's data protection practices have attracted the attention of the Irish Data Protection Commission. In January, the commission directed Facebook to provide an urgent briefing on the planned integration of the basic infrastructure of WhatsApp, Instagram, and Facebook Messenger.
"While we understand that Facebook’s proposal to integrate the Facebook, WhatsApp and Instagram platforms is at a very early conceptual stage of development, the Irish DPC has asked Facebook Ireland for an urgent briefing on what is being proposed.
"The Irish DPC will be very closely scrutinising Facebook’s plans as they develop, particularly insofar as they involve the sharing and merging of personal data between different Facebook companies. Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal.
"It must be emphasised that ultimately the proposed integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR," the data privacy watchdog said.