Facebook users suing the world’s largest social media network over a 2018 data breach say it failed to warn them about risks tied to its single sign-on tool, even though it protected its employees, a court filing on Thursday showed.
Single sign-on connects users to third-party social apps and services using their Facebook credentials.
The lawsuit, which combined several legal actions, stems from Facebook’s worst-ever security breach in September, when hackers stole login codes – or “access tokens” – that allowed them to access nearly 29 million accounts.
“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs said in a heavily redacted section of the filing in the US District Court for the Northern District of California in San Francisco.
“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”
Facebook did not immediately respond to a request for comment.
Judge William Alsup told Facebook in January he was willing to allow “bone-crushing discovery” in the case to uncover how much user data was stolen.
Facebook has revealed few details since initially disclosing the attack, saying only that it affected a “broad” spectrum of users without breaking down the numbers by country.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
For the other 15 million users, the breach was restricted to name and contact details. In addition, attackers could see the posts and lists of friends and groups of about 400,000 users.
They did not steal personal messages or financial data and did not access users’ accounts on other websites, Facebook said.