Facebook Access Token Hack Lawsuit Investigation

[If you are inquiring about a Facebook Messenger data sharing lawsuit, visit our case page.]

Facebook announced that on September 25, 2018, it discovered a security flaw that would allow hackers to hijack a person’s Facebook account. Facebook says there are 50 million accounts that it “know[s] were affected.” Another 40 million accounts may be affected, according to Facebook. Facebook has said it will send affected users a notification on their News Feed the next time they log into Facebook.

Impacted members may consider joining a Facebook data breach lawsuit or class action.

Hackers who used one of the 50-90 million stolen access tokens could have used them to gain “full access” to someone’s Facebook account, according to PCWorld, which could allow them to change the password to hijack the account, according to Facebook. LA Times posits that hackers may have been able to use access tokens to pose as the user to message and scam their friends, log into other applications that use Facebook login, or steal money from accounts linked to Facebook (such as someone’s Venmo account or credit card for Facebook Payments). A spokesman for Facebook said he could not “rule out” these possibilities, according to LA Times.

Was your Facebook account compromised?

We can help you find out, and if so, receive the compensation you are due. Contact us for a free consultation. No obligation.



How do I know if I’m included in the Facebook data breach (2018)?

Facebook says that it is resetting the tokens for all 90 million users who may be affected, so they’ll be forced to log in again on any device where they’ve chosen to “stay logged in.” Once these 90 million users log in again, they will receive a notification on their News Feed telling them they were affected.

Update: Facebook says it has also created a tool for users to check whether they were affected and if so, what information of theirs the hackers appear to have accessed. The tool is at: https://www.facebook.com/help/securitynotice.

The Facebook data breach notification says:


An Important Security Update

[Your First Name], your privacy and security are important to us. We want to let you know about recent action we’ve taken to secure your account.

Learn more.

Facebook data breach notification making user eligible for Facebook data breach lawsuit

Facebook’s Data Breach Notification


How many were affected by the Facebook data breach?

Facebook says it knows for sure 50 million users were included in the data breach. It says that 40 million more users may have been affected.

What caused the Facebook data breach?

On September 28, 2018, Facebook announced that it had discovered a data breach affecting between 50 and 90 million users. Facebook first noticed unusual activity on September 16, 2018, and launched an investigation, according to TechCrunch. Nine days later, it discovered that attackers had stolen user access tokens. Two days after that, it fixed the vulnerability that had enabled the data breach, according to TechCrunch

Facebook says that the attack exploited “multiple issues in our code,” including its “view as” feature, launched in 2013, and a change that Facebook made to its video uploading process in July 2017.

Facebook reports that hackers used the vulnerabilities in Facebook’s platform to steal “access tokens” for at least 50 million Facebook accounts. These access tokens, when used legitimately, tell Facebook that you’ve already logged in on your device, so you don’t need log in again, according to TechCrunch. But when exploited by hackers, the same access token can trick Facebook into thinking the hacker is already logged in (as you), according to cybersecurity expert Brian Krebs.

Security experts have warned about the insecurity of the Facebook platform since the launch of “Facebook Payments,” a feature that allows people to link credit accounts to Facebook and send payments through Facebook Messenger, according to CSO Online.

HackRead reports that Facebook users’ login information is already being sold on the dark web, an area of the internet that isn’t reachable through search engines but that hackers often use to sell information.

Our Data Breach experience

Our attorneys served in a court-appointed leadership role in the Anthem data breach class action, and helped achieve a $115 million settlement for victims of the Anthem data breach. The settlement received final approval from the court in August 2018.

Our data breach lawyers also currently serve in court-appointed leadership positions in the Equifax data breach lawsuit, Banner Health data breach lawsuit, and Excellus Health data breach lawsuit.

We’ve also achieved landmark results in our past data breach cases, including the Adobe data breach litigation, UCSF data breach lawsuit, and Health Net of California data breach litigation.

Our Data Breach Lawyers

Eric Gibbs

A founding partner at the firm, Eric has negotiated groundbreaking settlements that favorably shaped laws and resulted in business practice reforms.

View full profile

Dave Stein

Dave represents clients in cases nationwide, ranging from securities and financial fraud cases to product liability, privacy, and data breach suits.

View full profile

David Berger

David represents consumers in data breach, privacy, and financial services litigation. He has prosecuted some of the largest privacy cases nationwide.

View full profile

Aaron Blumenthal

Aaron represents consumers, employees, and whistleblowers in class actions and other complex litigation.

View full profile

Amanda Karl

Amanda represents employees, consumers, and sexual assault survivors in complex class actions. She also leads the firm’s Voting Rights Task Force.

View full profile

Affected by the Facebook data breach?

We can help. You may be entitled to participate in a class action lawsuit or recover damages. Contact us for a free consultation. No obligations. And we keep anything you tell us confidential.