Facebook Lawsuit Says It Failed to Warn Users of a Known Security Vulnerability

A court filing accuses Facebook of failing to disclose an access token to its users, despite taking steps to protect its employees. The resulting breach affected up to 29 million people.

Facebook Security YouTube Reuse

A against accuses the company of failing to inform users about a flaw, despite taking steps to protect its employees. The vulnerability in question involves its single sign-on, a tool to connect users so third-party apps using their Facebook account.

The flaw led to a large-scale , with hackers stealing tokens that allowed sign on to almost 29 million accounts.

“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” suggests the heavily redacted court filing. “Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

Facebook's Biggest Breach

14 million of the affected users had their profile details, like education history, devices used, recent searches, and more used. A further 14 million had their names and contact details leaked.

The breach occurred in September and is Facebook's worst to date. The company has been attempting to prevent San Fransico legal action moving forward but was shut down by the court. The current lawsuit combines several actions.

At the time Facebook's request was denied, U.S. district judge William Alsup said he believes the company should be held accountable.

“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers' personal data to turn a blind eye and ignore known security risks,” he said.

Though the social media giant disclosed estimates of affected users, it did provide a per-country breakdown or other useful information.