Nearly 2 million username and password combinations along with 330,000 email and password combinations were exposed in a data breach impacting German social media platform Knuddels.de. The company received a €20,000 fine related to the EU’s General Data Protection Regulation (GDPR) because the passwords exposed were stored in plain text.
The company became aware of the data breach when they found their user’s email and password credentials posted online on Pastebin and other sites. Passwords were stolen from nearly all of the social media platform’s more than two million users, and were unencrypted. This prompted the first fine or penalty related to GDPR in Germany, although a relatively small amount at just €20,000 ($22,700).
The social media and messaging company claimed to have stored both hashed and plain text passwords but has since deleted the plain text password database. Germany’s Data Protection Authority has stated that Knuddels has shown transparency and cooperation while implementing measures to improve security since the breach, likely contributing the low fine amount.
Regulators are able to fine up to €20 million or 4 percent of annual turnover under GDPR.
For more information: