The Republic of Ireland’s Data Protection Commission (DPC) hit Meta Platforms with fines totalling €91 million for inadvertently storing hundreds of millions of user passwords incorrectly.

Meta Platforms notified the DPC in March 2019 that it had stored certain passwords of social media users in plaintext without encryption or protection.

The DPC stated in its final decision on the matter that the passwords were not made available to external parties.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” DPC Deputy Commissioner Graham Doyle said in a statement. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

The scope of the IDC’s inquiry falls under the European Union’s General Data Protection Regulation (GDPR).

The DPC fined Meta Platforms €1.2 billion in May 2023 for breaches of European Union laws covering data protection. The tech giant is appealing that fine.

The most recent fine also adds to a €390 million penalty the DPC imposed on Meta Platforms in January 2023 and a €405 million charge in 2022, which are also related to breaches of data processing rules.