Lawsuit filed alleging social network failed to inform users of risks associated with its single sign-on tool
Facebook is facing legal action in the United States after a breach in September 2018, when hackers were able to steal data from 29 million accounts.
Facebook initially thought that the hackers had accessed 50 million accounts, but after an investigation the company revised this figure down to 29 million accounts.
The hackers were able to access a range of data depending on what people had on their profiles, but it included names, contact details (phone number, email etc); and in some cases username; gender; locale/language; relationship status; religion; hometown; self-reported current city; birthdate; device types used to access Facebook; education; work; the last 10 places they checked into or were tagged in; website, people or Pages they follow; and the 15 most recent searches
So pretty sensitive data then.
The lawsuit was in the US District Court for the Northern District of California in San Francisco, and according to Reuters, parts of the filing were heavily redacted.
What the filing did allege however is that the social network failed to warn customers about risks tied to its single sign-on tool, even though it protected its own staff. Single sign-on connects users to third-party social apps and services using their Facebook credentials.
It is understood that the lawsuit combined several legal actions, but all concern Facebook’s worst-ever security breach last September, when hackers stole login codes – or “access tokens” – that allowed them to access nearly 29 million accounts.
“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs reportedly said.
“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”
Facebook did not respond to a request for comment.
It is not clear how many of those hacked are in Europe, but the data breach does raise the nightmare possibility for Facebook’s management of a General Data Protection Regulation (GDPR) fine in Europe.
The Irish Data Protection Commission, which is acting as the lead investigator on this side of the pond as Facebook has its European headquarters in Ireland, is investigating the breach.
Similar investigations are also reportedly underway in the US states of Connecticut and New York.
In Europe, the hack could result in Facebook being issued with a maximum fine of up to $1.63bn (£1.25bn), which is approximately 4 percent of its annual global revenue.