In a significant cybersecurity oversight, Meta disclosed a failure to adequately protect the passwords of hundreds of millions of users, raising alarms about its data protection practices. The incident, which came to light in 2019, highlights the critical importance of employing robust hashing algorithms in safeguarding sensitive user information. Hashing, a process that converts plaintext passwords into an inscrutable format, is essential for preventing unauthorized access to user accounts.
For hashing schemes to be effective, they must meet stringent requirements, including the utilization of algorithms that necessitate considerable computational resources. Algorithms such as SHA1 and MD5, which are designed for rapid processing and efficiency, fall short in this regard and are unsuitable for password storage. In contrast, password-specific algorithms like Bcrypt, PBKDF2, and SHA512crypt are intentionally designed to be slower and require significantly more processing power and memory, thus enhancing their security against potential attacks.
An essential component of effective hashing is the application of cryptographic salting, which involves appending additional random characters to the plaintext password before hashing it. This technique complicates the cracking process, where an adversary employs extensive computational resources to guess the original password by generating and comparing a vast number of hash values, often in the hundreds of millions.
The primary objective of using hashing is to ensure that passwords are stored solely in their hashed form, thereby eliminating plaintext storage and enhancing data security. Should a breach occur, even if the hashed data is compromised, it would still impose a significant barrier to unauthorized access.
In the aftermath of the disclosure, Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission, emphasized the inherent risks associated with storing user passwords in plaintext, particularly within the context of social media account access. The regulatory commission has been investigating the incident for over five years, concluding that Meta’s inadequate measures constituted a significant lapse in data protection standards.
This week, the commission imposed a fine of $101 million (91 million euros) on Meta, marking yet another penalty in a series of violations linked to the General Data Protection Regulation (GDPR). Since the regulation’s implementation in 2018, Meta has faced fines exceeding $2.23 billion (2 billion euros), including a record penalty of $1.34 billion (1.2 billion euros) from last year, which the company is currently contesting.
From a cybersecurity perspective, the Meta breach potentially involved various MITRE ATT&CK tactics and techniques, including initial access via inadequate user authentication mechanisms and privilege escalation through compromised password management protocols. As businesses increasingly rely on digital infrastructure, the Meta incident serves as a crucial reminder of the need for stringent data protection protocols to thwart cyber threats and safeguard sensitive information.
