Skip to main content

Facebook users suing the world’s largest social media network over a 2018 data breach say it failed to warn them about risks tied to its single sign-on tool, even though it protected its employees, a court filing on Thursday showed.

Single sign-on connects users to third-party social apps and services using their Facebook credentials.

The lawsuit, which combined several legal actions, stems from Facebook Inc’s worst-ever security breach in September, when hackers stole login codes — or “access tokens” — that allowed them to access nearly 29 million accounts.

Story continues below advertisement

“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs said in a heavily redacted section of the filing in the U.S. District Court for the Northern District of California in San Francisco.

“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

Facebook did not immediately respond to a request for comment.

Judge William Alsup told Facebook in January he was willing to allow “bone-crushing discovery” in the case to uncover how much user data was stolen.

Facebook has revealed few details since initially disclosing the attack, saying only that it affected a “broad” spectrum of users without breaking down the numbers by country.

The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.

For the other 15 million users, the breach was restricted to name and contact details. In addition, attackers could see the posts and lists of friends and groups of about 400,000 users.

Story continues below advertisement

They did not steal personal messages or financial data and did not access users’ accounts on other websites, Facebook said.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter