In July 2018, hackers broke into the system of a social media platform –, leaking the personal data of their users.

Almost two months later, Knuddels were anonymously notified that the data of over 8,000 members was published on Pastebin, as well as more than 1.8 million user credentials on, according to the German Spiegel Online. Later on, the company announced that approximately 808,000 email addresses and 1,872 pseudonyms and passwords were stolen by unknown persons and published on the Internet.

Knuddels immediately informed the users about the breach and alerted them to change their passwords. Also, they acted in accordance with the GDPR and notified the LFDI Baden-Württemberg data protection authority. In order to provide as much protection as possible for their users, they temporarily deactivated all accounts.

After an investigation following the hacking attack, the German authorities revealed that social media site had been storing the passwords in an unencrypted format. The site stored the users’ passwords in plain text, thus violating an important privacy regulation, which states that companies must ensure data security when processing personal data in accordance with GDPR Article 32(1)(a). Under the regulation, the company must provide encryption and pseudonymization of personal data.

Although GDPR proposes maximum fines of up to 20 million euros or 4% of the global annual turnover, successfully avoided this debacle. German authorities stated that, due to great cooperation, Knuddels was able to avoid the maximum fine. The company quickly implemented extensive measures to improve its IT security, while also cooperating with the authorities in order to implement additional measures to further improve data security following the privacy scandal.

Nowadays, when it is almost impossible to avoid hacking attacks, the Knuddels case serves as a perfect example of transparency and strong initiative for the protection of users’ privacy, which led to a far more favorable outcome.