A court filing says that Facebook warned staff of the risk that led to a huge security breach that last year allowed hackers to access almost 29 million accounts — but failed to warn its users…

The risk was in the use of single sign-on, a way to let you sign into third-party apps and websites using your Facebook credentials. While this doesn’t give the third party service access to your login details, it does generate an access token that hackers were able to misuse to view private content in accounts.

Reuters reports that a class-action lawsuit alleges that Facebook was aware of the security risks inherent in the single sign-on feature, and took steps to ensure the privacy of its own staff was protected, but did not do the same for its users.

Facebook users suing the world’s largest social media network over a 2018 data breach say it failed to warn them about risks tied to its single sign-on tool, even though it protected its employees, a court filing on Thursday showed […]

“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs said in a heavily redacted section of the filing in the U.S. District Court for the Northern District of California in San Francisco.

“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

The access tokens didn’t give the hackers complete access to accounts, but a flaw in a feature known as View As enabled them to see information that should have been restricted to Facebook friends. The View As feature is designed to allow you to see how your Facebook profile looks to other people.

For 15 million people, hackers were able to access just name and email (or name and mobile number, for those who signed up using that). For a further 14 million people, however, the hackers were able to see a lot more profile information and activity.

This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

Facebook contacted all those affected, and also provided an online tool to allow people to check for themselves if their details were hacked.

I would always advise against the use of any single sign-on service — even the upcoming Apple one. I instead recommend unique, strong passwords for each individual app, website, or service you use.

FTC: We use income earning auto affiliate links. More.

OnlyBrush Smart Dental Travel Kit

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear