Facebook could be facing over $1 billion in fines for its latest privacy breach, which exposed at least 50 million user accounts.
European regulators are considering a fine in the neighborhood of $1.63 billion, The Wall Street Journal reported over the weekend.
Facebook’s lead European privacy regulator, Ireland’s Data Protection Commission (DPC), made its concerns public, on Sunday.
In a tweet, the DPC said it is “awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users.”
In response, Facebook tweeted: “We’re cooperating fully & will share more info with you as soon as we have it … We take this issue very seriously & are committed to understanding exactly what happened … We’ve also taken immediate action to protect people’s security.”
On Friday, Facebook said its engineering team had recently discovered a security issue affecting roughly 50 million accounts.
Specifically, hackers exploited a vulnerability in Facebook’s code that impacted “View As” -- a feature that lets users see what their own profile looks like to someone else, according to Guy Rosen, VP of Product Management at Facebook.
“This allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts,” Rosen explained in a post. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”Reacting to Facebook’s latest privacy breakdown, analysts said the social giant has an enormous responsibility to protect users’ information due to its immense size.
“The fact that a breach at one company can impact tens of millions of users is troubling,” Jeff Pollard, vice president-principal analyst at Forrester, said on Friday. “Attackers go where the data is, and that has made Facebook an obvious target.”
“Facebook needs to make limiting access to data a priority for users, APIs, and features.”
After first learning about the breach on September 25, Rosen said Facebook fixed the vulnerability and informed law enforcement.
Facebook has reset the access tokens of the approximately 50 million accounts known to be affected by the hack, and is currently resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
Facebook has also temporarily turned off the “View As” feature while it conducts a thorough security review.