Ireland's Data Protection Commission (DCP) has confirmed it's looking into the hundreds of millions of passwords that Facebook stored without encryption.
The social network notified the regulator that user passwords for Facebook, Facebook Lite and Instagram were stored in plain text in the company's internal servers.
This is not the first or only investigation launched by the DPC into Facebook; in December the organisation announced it had started a second inquiry after the social network revealed a bug that exposed 6.8 million users photos.
The latest inquiry is focused on an incident in March, where Facebook notified users in a blog that "some" passwords were stored in a readable format. But much further down, the "some" Facebook referred to was actually "hundreds of millions" across three of its service.
"The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers," the regulator said.
"We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR."
On the surface, it may seem like another problem to add to the list for Facebook, but the timing of the announcement could be crucial. While the company has been dogged by controversy over the last year, due to its questionable data privacy policies and repeated security glitches, to date the only regulatory action has come from the UK's ICO - a 500,000 fine under the Data Protection Act 1998 - which Facebook has appealed.
But regulators around the world are circling. The US Federal Trade Commission is preparing a hefty penalty, based on a data privacy investigation that began in 2011 and most recently, Canada's federal privacy commissioner has said his office will go to court to seek an order to force Facebook to correct its privacy practices.
"The stark contradiction between Facebook's public promises to mend its ways on privacy and its refusal to address the serious problems we've identified - or even acknowledge that it broke the law - is extremely concerning," privacy commissioner Daniel Therrien said in a statement to the BBC.
Facebook's European infrastructure is mainly established in Ireland, where it has datacentres and benefits from the One Stop Shop mechanism provided for in the GDPR. This rule means that organisations carrying out cross-border personal data processing activities will only have to deal with one supervisory authority.
For Facebook, this is the DPC. The Irish data regulator arguably has the biggest data processing organisation to watch over and, given the torrid year Facebook has had, the most problematic too boot.
"Ireland has a strong role to play in ensuring the world of social media complies with GDPR regulations, and since Canada has already found Facebook to seriously contravene it's privacy laws, one would expect the Irish regulator may find it violating GDPR as well," said Anjola Adeniyi, technical leader for EMEA at Securonix.
"The password leak happened post-GDPR and identity theft is a potential risk, so the Irish regulator is also investigating Facebook's use of personal data."
