Facebook could face a $1.63bn fine in the European Union under Europe’s GDPR rules after the social media network revealed 50 million accounts had been hacked.
A Wall Street Journal article points out the privacy breach could trigger the maximum fine possible under the new laws, which could amount to 4% of the firm’s global annual revenue, around $1.63 billion.
Facebook would also be exposed to a maximum 2% fine if it failed to notify EU authorities within 72 hours of discovering the breach.
Facebook users Carla Echavarrai and Derrick Walker have already filed a suit in California’s Northern District Court, accusing the social media network of violating the state’s unfair competition law, negligence and concealing ‘grossly inadequate’ security measures.
Attackers managed to bypass Facebook security and potentially gain control of user profiles and linked apps, which Facebook discovered last Tuesday and made public on Friday.
A bug exploited flaws in Facebook’s code relating to its “view as” feature. This feature lets people see what their profile looks to others, but a vulnerability in coding allowed the hackers to access tokens, which could then be used to take over people’s accounts. Access tokens allow people to stay logged in without re-entering a password.
Facebook’s code has vulnerable to this type of sophisticated attack since it uploaded a new version of its video uploader in July 2017 but the problem has now been fixed.
The social media giant said it had reset tokens for 50 million affected users as well as a further 40 million extra users as a precaution. Users who had to re-log into Facebook on Friday morning could potentially have been impacted.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based,” Facebook VP of product management Guy Rosen said.
Facebook has not revealed whether the attackers attempted to extract private data from users’ profiles.
The attack is the largest by hackers on Facebook, but is not the only time users data has been harvested en masse.
Earlier this year, former Cambridge Analytica employee Christopher Wylie blew the whistle on how the data analytics firm harvested Facebook data through the use of an app to create a ‘psychological warfare weapon’ that would help Donald Trump win the 2016 US election in one of the greatest political upsets of modern times.
This attack is different in that it exploited a flaw in Facebook’s code rather Facebook being exploited by a flaw in how the social media network allowed and trusted app developers with user data.