The lead European Union privacy regulator has fined social media giant Meta €91 million for inadvertently storing some users’ passwords without protection or encryption.

The inquiry was opened five years ago after Meta notified Ireland’s Data Protection Commission (DPC) that it had stored some passwords in “plaintext.”

Ireland’s DPC is the lead EU regulator for most of the top US internet firms due to the location of their EU operations in the country.

Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties.

DPC Deputy Commissioner Graham Doyle said: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.

“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

A Meta spokesperson told Reuters the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly.

Meta engaged constructively with the DPC throughout the inquiry, the spokesperson added.