Meta fined $101M for storing passwords in plaintext (opens in new tab)

discussed previously: https://news.ycombinator.com/item?id=41669912

I almost guarantee this is some logging system configured to "just log every request" or "just keep the innerHTML of the whole page whenever an error occurs for debugging" or similar, which picked up password fields too.

Super easy mistake to make.

They have never been specific about it but everything about this story suggests that the "storage" in question was logs. It is easy to accidentally create a system that logs passwords as a side effect of logging some request along with its parameters, and it takes structure and discipline to avoid it.

I’m not sure how it’s even possible to store plaintext passwords in 2024, don’t most systems use a base level of encryption by default?

Also surely someone noticed before they had to be fined, yikes

Guys, it is very difficult to avoid logging clear text passwords if your systems are set up to compile auditable logs of anything, and you already know why.

Because people will constantly enter their passwords in the wrong places, that's why. Classic Unix systems administrators always found passwords logged as usernames. Or in shell history files. Or on typescript transcripts.

Facebook's forms are no different, and all it takes is a moment of inattention, type into the wrong field, an accidental copy-paste, or an overzealous password manager, and how many millions of users will eventually send in their passwords?

The truly marvelous technical feat would be to devise a way to stop this. Essentially, you couldn't. It's a complex issue. Not negligence.

This is why I always hash passwords client side before sending them to my servers. That way, when I store them in plain text, I can say it is just the hash and not the password itself!

On a relevant note, how is this fine amount determined? Were there any damages?

$101M for a problem from 5 years ago, fixed quickly with no harm done to anybody, with users notified immediately at the time.

I wonder how much of a fine Ireland would have levied on an Irish company in similar circumstances.

Side effect of "move fast and break things", which is why the slogan has been changed to "move fast with stable infrastructure" (not kidding)

[dupe] you new here?

More discussion: https://news.ycombinator.com/item?id=41669912

https://news.ycombinator.com/item?id=41678840

If you don’t want to deal with the headaches and complexities of actual encryption, base64 at least gets you some level of information hiding.

This isn't substantial money for Meta, is it?

they should prove damages before setting fines like this.

the american gov is spending billions upon billions to defend the eu and they have the gall to nitpick & set 7 to 9 fig fines using %revenue (extortion) on their companies, which are btw providing valuable services (for free) to eu citizens. beyond ridiculous, especially with no sensible cap on the fines.

all the gdpr has done is make the web more miserable, someone from the usgov should give a call to the data protection office or wtv to remind them of their actual importance in the grand scheme of things.

and this is ignoring the damage they're doing to their own tech ecosystem with this over-regulation.