In brief: Facebook engineers have revealed in court that the company ignored warnings about a potential security issue for nine months, only to have cybercriminals prove them right in 2018. And while they feel this could have been prevented, the company insists it was taken by surprise.
The social giant has vowed to do a better job with users’ security, in light of a class action lawsuit that revealed a tale of mismanagement and ignoring repeated warning from employees in the 2018 incident that exposed the personal details of millions of users around the world.
According to a report from The Telegraph, Facebook was made aware about the potential security risk nine months in advance, which should have been ample time to prevent a hack that affected more than 50 million accounts and inconvenienced more than 90 million, who were signed out on all of their devices. The incident also affected three million people in the EU, which naturally prompted a thorough investigation by the Irish Data Protection Commission.
The Telegraph cites court documents that indicate employees had developed “guilt” and “hurt” after repeated warnings led to no action being coordinated by upper management. Several Facebook engineers expressed their worries over the fact that access tokens — which are essentially unique identifiers you can use to do things like logging in to third part apps and services — were an easy target for cybercriminals.
The engineers explained that the social giant had released features that use the non-expiring access tokens despite ample evidence that it would be a bad idea. Facebook denies these claims, noting that while it did know about several glitches, it couldn’t have known about a possible exploit that combined all of them in a novel way. The company refused to pay damages but promised to improve its security protocols, which will be assessed on a yearly basis by an independent third party.
CEO Mark Zuckerberg had been a big proponent of the “move fast and break things” mentality that has lead to many large-scale privacy and security mishaps, but many believe he shouldn’t be allowed so much control over users’ data. And other CEOs like Elon Musk are open about their disdain for the platform.
If we look at what the company is doing right now, the recent work around restoring user agency over their data is certainly an example that Facebook can at least keep some of its promises. However, the company has still a long way to go — it keeps ignoring glaring vulnerabilities in its services, and user data can still be scraped and shared among cybercriminals in obscure corners of the web.