Facebook sued over exposure of 50 million users’ data

Following Facebook’s confirmation of the largest hack in its history, two people have filed a lawsuit against the company in the federal court in California.

The security breach – which exposed 50 million users’ accounts, is the largest known hack in the history of the troubled social media mammoth.

The attack exposed tens of millions of users’ full profiles, including private photos, and names and dates of birth of friends and families. It also gave the attackers access to services that affected users had logged into using their Facebook accounts, including Instagram, Tinder, Spotify and other services. The accounts of CEO Mark Zuckerberg and COO Sheryl Sandberg were among those exposed.

According to a statement posted by Facebook, the hackers exploited a vulnerability associated with Facebook’s ‘View As’ feature, which allows users to view their profile as a different user. Using this, the hackers acquired ‘access tokens’ – digital keys that normally allow users to stay logged in – which could be used to access users’ accounts.

Facebook said that it had informed law enforcement, reset 90 million users’ access tokens (requiring them to log back in) and informed them what happened, and turned off the ‘View As feature during a security review.

The lawsuit was filed by a Californian woman and a Virginian man on behalf of Facebook users within hours of Facebook’s statement being published. The plaintiffs said that personal information had been exposed: “due to a flaw in Facebook’s code that allowed hackers and other nefarious users to take over user accounts and siphon off personal information for unsavoury and illegal purposes.”

Meanwhile, commentators have speculated over whether the hack could lead to Facebook being slapped with a weighty fine in Europe, where the General Data Protection Regulation may have been breached. The Irish Data Protection Commission – Facebook’s dominant data regulator in Europe given its headquarters in Dublin – has requested more information about the incident. The Wall Street Journal has estimated that Facebook could face a fine of up to £1.25bn, which is approximately four per cent of its annual global turnover.

Meanwhile, a former Facebook content moderator has also sued the company, arguing that the firm did not sufficiently protect her from the mental trauma she suffered as a result of having to view explicit content showing thousands of beheadings, mutilations and sexual attacks. According to the lawsuit, the plaintiff suffered from “debilitating” post-traumatic stress disorder as a result of her work with Facebook.

You may be interested in Cyber Security for Industrial Control Systems, taking place in London, February 7-8 2019. Find out more about the speaker programme at www.theiet.org/cyber-ics

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles