I almost guarantee this is some logging system configured to "just log every request" or "just keep the innerHTML of the whole page whenever an error occurs for debugging" or similar, which picked up password fields too.
Super easy mistake to make.
This is why I always hash passwords client side before sending them to my servers. That way, when I store them in plain text, I can say it is just the hash and not the password itself!
On a relevant note, how is this fine amount determined? Were there any damages?
Can't tell if your being sarcastic or not. Now your hashes are just the passwords. Your server can't unhash them, so anyone intercepting your traffic effectively has the password.
I was being sarcastic, but, why wouldn't client-side hashing of passwords prevent some class of attacks that can be used when plaintext passwords are accidentally stored(and eventually exfiltrated) - eg credential stuffing?
Because you've just changed what the password is. For example if your password is X, with hash Y, the server identifies Y as your password. Then I come along and steal Y. The server has no concept of X, so to the server you and I are equally valid in being you. We both present the hashed password Y.
There are people who just append password with the name of site or something relevant to site. Like "mypasswordfb". It would prevent guess google's password as "mypasswordgoogle"
Isn't there still an advantage of hash Y is now known and is like abcd1234 while the password X (hunter2) remains unknown?
So while you can still authenticate as the user to say facebook you can't login to their linkedin account. Assuming, facebook and linkedin don't use the same client side salt.
I’m not sure how it’s even possible to store plaintext passwords in 2024, don’t most systems use a base level of encryption by default?
Also surely someone noticed before they had to be fined, yikes
They realized in 2019. I'm assuming it wound up in logs somewhere and someone went "why the heck am I seeing prod passwords?"
Absolutely many people must have noticed. It was either technically infeasible to encrypt those (doesn't seem likely). Or the business decided it wasn't worth the investment (more likely).
Logs.
discussed previously: https://news.ycombinator.com/item?id=41669912
$101M for a problem from 5 years ago, fixed quickly with no harm done to anybody, with users notified immediately at the time.
I wonder how much of a fine Ireland would have levied on an Irish company in similar circumstances.
Probably less because there aren't many companies of Irish origin with a worldwide annual revenue that's as high as Facebook's.
This Ireland you speak of makes the foreign Meta Platforms much more money in tax avoidance/evasion.
Side effect of "move fast and break things", which is why the slogan has been changed to "move fast with stable infrastructure" (not kidding)
[dupe] you new here?
More discussion: https://news.ycombinator.com/item?id=41669912
If you don’t want to deal with the headaches and complexities of actual encryption, base64 at least gets you some level of information hiding.
They have never been specific about it but everything about this story suggests that the "storage" in question was logs. It is easy to accidentally create a system that logs passwords as a side effect of logging some request along with its parameters, and it takes structure and discipline to avoid it.
This isn't substantial money for Meta, is it?
It's a little less than 0.3% of their earnings for a single quarter, so no, not at all.
Seems like a card to remind people to be careful when developing systems.
they should prove damages before setting fines like this.
the american gov is spending billions upon billions to defend the eu and they have the gall to nitpick & set 7 to 9 fig fines using %revenue (extortion) on their companies, which are btw providing valuable services (for free) to eu citizens. beyond ridiculous, especially with no sensible cap on the fines.
all the gdpr has done is make the web more miserable, someone from the usgov should give a call to the data protection office or wtv to remind them of their actual importance in the grand scheme of things.
and this is ignoring the damage they're doing to their own tech ecosystem with this over-regulation.
> all the gdpr has done is make the web more miserable
For those in the US? Perhaps, at least if we only look at the direct impact.
In the EU it made all sorts of privacy abuse that's completely standard and accepted in the US (credit agencies, payroll companies, etc. etc. sharing all sorts of information with anyone who asks/pays in addition to online tracking) legally impossible.