Facebook could be hit with a huge fine from EU authorities after hackers exposed a security vulnerability on the social networking site which left 50 million users open to having their accounts taken over.

In a statement on Friday (28 September) Facebook confirmed the attack and said it had informed law enforcement agencies and reset security credentials on 90 million accounts. Some 40 million of these were changed as a precautionary step, it added.

Following the revelation, the Data Protection Commission Ireland (DPC) demanded the company swiftly provide details of the impact on EU users.

If it is found in breach of EU data protection regulations, Facebook could be slapped with a massive fine, estimated by The Wall Street Journal at around $1.6 billion. As Facebook’s European headquarters is in Ireland, authorities based in the country initially investigate issues related to its activities in the economic area.

The company could face separate action in other markets.

Security hole
The vulnerability stems from an update made in 2017 to its View As feature, which allows users to see their Facebook page from the perspective of third parties.

Gaps in security meant hackers could steal Facebook access tokens, which are digital security credentials used to automatically log users into the app and third-party services using the social network ID as verification.

Facebook is yet to discover who was behind the attacks, where they were based or if user information had been accessed or misused.

In a statement, Facebook VP of product management Guy Rosen apologised for the problem and confirmed the vulnerability had now been fixed. He also noted the company was “taking this incredibly seriously”.

The DPC said yesterday (30 September) it was still waiting for Facebook to provide full details of the attack, which was discovered on 25 September and publicly announced on 28 September.

In a Tweet, European Commissioner Vera Jourova “urged Facebook to fully cooperate”, pointing to EU guidelines which require details to be provided within 72 hours of the breach.