It's mentioned in nested comments, but (as you'd probably expect) meta does not intend to store passwords in plaintext. There was a bug where they were logging plaintext passwords for some period of time e.g., when someone tried to log in etc.,.

> a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company's servers since 2012. They were also reportedly searchable by over 20,000 Facebook employees

I thought this was gonna be some limited faux pas... but no. That's terrible.

0.1 % of current revenue fine.

If your company made a billion $ revenue per year, it'd have to pay $100k.

Doesn't feel like a great incentive to do it right.

If they improved debuggability by logging all requests to make the company more than 0.1 % efficient, it's a good deal for them.

Oh so the hashing and rainbow table attack questions they ask in Meta interviews is basically a cry for help?

Incompetence does not require intent.

102M$ might sound like a large sum - but the math shows that a leaked clear text password here is just fined with less than one dollar…

(Yes I have read the fine is triggered by not informing the authorities in due time)

Interesting how the affected user is actually valuated…

Previous discussion: https://news.ycombinator.com/item?id=41669912#41672163

Context: This is for a 2019 data breach on a system that was created in 2012. The GDPR was instated in 2018 (has it really been that long? Wow feels like yesterday) and Meta failed to disclose the 2019 data breach properly under GDPR, hence the fine.

I really don't get how companies so large do stupid things like this.

Hashing and salting passwords isn't some newly introduced advanced rocket science, it's literally a 101-level "obvious" thing. How can a huge corporation like Meta/Facebook can do this is beyond my imagination.

[dupe]

Discussion: https://news.ycombinator.com/item?id=41669912

I would hope it's not the authentication team's systems that are logging payloads with passwords.. they should definitely know better. Presumably it happened some infrastructure component owned by another team.

This is a very imaginative use of the word “breach”, according to the details reported in the article at least. Internal staff (inadvertently) had access to users plaintext passwords. The article doesn’t mention any use of these credentials in a breach though, and doesn’t make any refutation of Meta’s claim that this never occurred. Internal staff having access to my data is what I would normally expect from a service like the ones Meta operates. It’s a bad mistake to make, but contriving these circumstances into being a “breach” is a bit more mask-off than I’m used to the Data Protection agencies being. Hope Ireland makes good use of its $102M.

Who gets the money and what will it be spent on?

Wow I didn't know this is illegal.

Can't wait to give them access to everything I do on the daily by wearing their AR glasses.

[dead]

[flagged]