Facebook faces class-action lawsuit over massive new hack

Illustration by James Bareham / The Verge
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Facebook is already facing immense fallout from revelations this morning that a hacker exploited a security flaw in a popular feature of the social network to steal account credentials of as many as 50 million users. The company is now facing a class-action complaint filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. Both allege that Facebook’s lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach.

The lawsuit was filed today in US District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California’s Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys’ fees and expenses.

Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred. The company began notifying affected users this morning with a message on its website and mobile app, and it’s been holding a series of calls with reporters throughout the day to brief them on technical details and other information as it arises. Still, this is among the more serious breaches Facebook has ever suffered. It will likely only intensify criticism of the company’s handling of user data and its privacy policies in the wake of the Cambridge Analytica scandal earlier this year, in which more than 70 million users’ personal info was packaged and sold to a data-mining firm without their consent.

As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, “We’re looking into Facebook’s massive data breach. New Yorkers deserve to know that their information will be protected.” Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, “I want answers.” In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is “deeply concerning” and calling for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” reads the statement from Warner, who is the vice chairman of the Senate Select Committee on Intelligence and the co-chair of the Senate Cybersecurity Caucus. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over.”

Carla Echavarria and Derrick Walker v. Facebook, Inc. by Nick Statt on Scribd


This company is a disaster, and it’s been showing for some time now.

These Class Action Attorneys are leaches!!!
This was released by Facebook today!
And all the Details haven’t been released yet. So how could any attorneys have filed unless they daily troll tech News sites,
and be prepared to pounce with pre-written paperwork.

Since I don’t have a FB (yet) idrc about this controversy…

But that illustration is everything, James.

Some would say Facebook is run by a bunch of amateur college kids….seems Zuckerberg has lost control of a monster he has created.

Facebook operations should be seriously curtailed.

Some would say Facebook is run by a bunch of amateur college kids….seems Zuckerberg has lost control of a monster he has created.

No. They’re wrong. Many of these Silicon Valley douche bags aren’t innocent Babes in the Woods who "lost control" of their product. This was all by design.

I’ve been on the web since the beginning. There was a dramatic shift in Silicon Valley culture when we went from Web 2.0 to Web 3.0. In Web 1.0 and Web 2.0., people who built these companies were bleeding heart, chumbaya types (all about social responsibility and using the internet to make the world a better place).

In the age of Web 3.0, Silicon Valley went from "let’s make the world a better place/do no evil" to libertarianism, which is about pure greed at the expense of human beings and society, about seeing people as nothing but raw product to be used up and thrown away. If there was any fallout in the process (like undermining democracy, spreading disinfo, etc.) that was dismissed as "collateral damage", or the buck was passed onto their users (as in, "We’re just a platform; it’s not our fault if our users did this.").

Zuckerberg knew very well all the problems he was creating with FaceBook. He just didn’t care. The reason why he allowed everything to get this out of control is that he thought he was too big to fail. Turns out he wasn’t, and now he’s getting caught with his pants down.

A hacker exploited a security flaw in a popular feature of the social network to steal account credentials of as many as 50 million users.

Do we know if that’s the case? Your other article mentioned that it was the security tokens, which (while still bad) doesn’t necessarily mean passwords were compromised, otherwise I would expect they’d be asking 90 million+ people to reset their passwords, rather than just logging them out…

Depends how you define credentials. If you define an OAuth token as a credential, then it’s technically correct, but yeah, it’s not a user/password breach.

Although Facebook should try to make itself safer and more secure, this is clearly the hacker’s fault.

if you’re "paid" to protect my assets and someone steals from you because of your negligence the responsibilty for the theft is clearly the thief’s but you’re not innocent.

and the irony of this coming on top of the revelation that they were using the phone number users provided to support their 2FA scheme as another data point to sell to advertisers … their culpability stems from their unashamed greed and cynical manipulation of users.

in the meantime … I wonder how many people will care enough to actually sanitize their accounts, stop using FB as login for other sites, start using ad blockers to stop FB tracking them and generally curtail these leeches?

I thought dominating the news for data breaches was Yahoo’s job. With companies like Facebook and Newegg being so insecure, Yahoo really needs to step up it’s game to stay in the news.

View All Comments
Back to top ↑