Meta fined $102M for storing passwords in plain text

Original Article ↗ Hacker News Discussion ↗

GDPR, fines, and what counts as a “breach”

  • Incident stems from passwords stored in readable form since 2012, discovered and handled around 2019, after GDPR came into force.
  • Fine is for multiple GDPR violations: inadequate technical measures, and failing to notify and document the breach promptly.
  • Some think €102M is low vs the theoretical 4% of global turnover; others note regulators rarely use the maximum and factor in self‑reporting and perceived impact.
  • Strong debate over whether this is a “breach” or just a “control failure”:
    • One side: internal access to plaintext passwords is inherently a personal data breach under GDPR’s broad definition and creates a “reasonable expectation” of misuse.
    • Other side: without evidence of unauthorized use or harm, calling it a breach is overreach and weakens GDPR’s credibility.

Nature and severity of Meta’s failure

  • Many highlight that passwords were likely logged accidentally (e.g., debugging, middleware, crash dumps) rather than intentionally stored unhashed.
  • Others argue “no intent” is irrelevant; if someone noticed and cleanup was deferred, it effectively became intentional.
  • Concern over impact beyond Meta accounts due to widespread password reuse (e.g., employees or insiders accessing users’ other services).

How large organizations end up here

  • Descriptions of big‑org realities: legacy systems, unclear ownership, massive logs never reviewed, over‑permissive access (“just give them everything so work gets done”).
  • Some blame culture and management: security tickets deprioritized, focus on closing tickets vs fixing root causes, “compliance theater” over true security.
  • Counterpoint: it’s still negligent to accept known dangerous patterns (e.g., unsecured core dumps, plaintext logs) just because systems are complex.

Developer competence, hiring, and security culture

  • Multiple commenters say many developers don’t understand basic security (password handling, PII in logs, PCI/PII rules), and managers don’t incentivize learning.
  • Others argue competent engineers should know relevant regulations; security questions should be part of hiring, especially for sensitive systems.
  • Recurrent theme: logging middlewares and support channels (email, chat, phone) are common, underestimated vectors for leaking secrets.

Views on EU regulation and incentives

  • Some see GDPR fines as necessary to create real incentives, since otherwise companies “don’t care.”
  • Others view GDPR as burdensome “import tariff” or legal minefield that pushes smaller sites to block EU users.
  • Disagreement over how “big” and indispensable the EU market is, but consensus that large tech firms will generally comply rather than exit.