It’s Germany’s first GDPR fine, for an incident that affected millions of accounts. The social chat service, Knuddels, saw about 808,000 email addresses and over 1.8 million usernames and passwords exposed after an attack in July; the perpetrators went on to publish the information online at Pastebin and the Mega cloud storage service in cleartext form. An investigation by regulators showed that the website stored its data in plain text with no safeguards – which Knuddels confirmed.
“In 2012, the storage of passwords was introduced as a hash,” the company said on its message boards (translation by Google). “The non-hashed version of the passwords, however, was also preserved.”