After Facebook alerted the Data Protection Commission (DPC) that it had found hundreds of millions of user passwords stored in its internal servers in plain text format, DPC launched an investigation to determine whether the company had acted in compliance with the General Data Protection Regulation (GDPR), according to an April 25 press release.
According to its website, the DPC is the Irish supervising authority for GDPR and is the national independent authority charged with data protection rights of individuals in the EU.
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR,” a statement from the DPC said.
Though a Facebook spokesperson told Business Insider, “We are working with the IDPC on their inquiry. There is no evidence that these internally stored passwords were abused or improperly accessed,” the accidental mishandling of these passwords could result in a multi-billion-dollar fine for the social media company, according to the news outlet.
The news comes only days after Facebook said it had unintentionally uploaded – without consent – the emails of 1.5 million users. Earlier this month, Infosecurity also reported that over half a billion Facebook records were leaked by third-party app developers.
Facebook announced on March 21, 2019, that it had found some passwords being stored in readable format on its internal data storage systems, and the company updated that post on April 18 to add: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”