Meta Fined €251M for 2018 Facebook Breach

• .What: Facebook "View As" bug let attackers steal access tokens for 29M accounts.
• .Who: 29M Facebook users globally, including 3M in the EEA.
• .Data Exposed: Names, phone numbers, emails, and detailed personal profile data.
• .Outcome: Irish DPC fined Meta EUR 251M for design and security failures.

• .User access tokens for approximately 29 million accounts stolen through the "View As" feature exploit chain
• .For 15 million accounts: names, and either phone numbers, email addresses, or both
• .For 14 million accounts: extensive personal details including name, phone number, email, username, date of birth, gender, language, relationship status, religion, hometown, current city, education, work, device types, pages followed, last 10 places checked in, and 15 most recent searches

The breach resulted from the interaction of three distinct software bugs. The "View As" feature incorrectly generated a user access token for the profile being viewed. A 2017 video uploader change caused it to appear within "View As" and generate tokens with full permissions.

The DPC found violations of Article 25(1) (data protection by design), Article 25(2) (data protection by default--tokens should have used minimum permissions), Article 33 (insufficient initial breach notification), and Article 32 (failure to implement appropriate technical measures).

The fine comprised EUR 210 million for Article 25 violations and EUR 41 million for Article 33 violations.

Irish DPC Decision IN-18-8-7, EDPB Guidelines 9/2022, Facebook Security Update September 2018, GDPR Articles 25, 32, 33, 83