A lawsuit against Facebook accuses the company of failing to inform users about a security flaw, despite taking steps to protect its employees. The vulnerability in question involves its single sign-on, a tool to connect users so third-party apps using their Facebook account.
The flaw led to a large-scale data breach, with hackers stealing access tokens that allowed sign on to almost 29 million accounts.
“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” suggests the heavily redacted court filing. “Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”
Facebook’s Biggest Breach
14 million of the affected users had their profile details, like education history, devices used, recent searches, and more used. A further 14 million had their names and contact details leaked.
The breach occurred in September and is Facebook’s worst to date. The company has been attempting to prevent San Fransico legal action moving forward but was shut down by the court. The current lawsuit combines several legal actions.
At the time Facebook’s request was denied, U.S. district judge William Alsup said he believes the company should be held accountable.
“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks,” he said.
Though the social media giant disclosed estimates of affected users, it did provide a per-country breakdown or other useful information.