INTELLIGENCE
ZERO|TOLERANCE
Intelligence Advisory
zerotolerance.me

Meta Fined €251M for 2018 Facebook Breach

Dec 2024 · €251M fine

Publication Date
2024-12-01
Category
Regulatory Enforcement
Author
K. Ellabban
Organization
Zero|Tolerance Security Research

Meta Fined EUR 251M for 2018 Facebook Breach The Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited EUR 251 million in December 2024 for the September 2018 Facebook data breach that exploited a vulnerability in the "View As" feature. The breach allowed attackers to steal access tokens for approximately 29 million Facebook accounts globally, including roughly 3 million EEA accounts, exposing names, phone numbers, email addresses, and detailed personal information.

Executive Summary

KEY FACTS

  • WhatFacebook "View As" bug let attackers steal access tokens for 29M accounts.
  • Who29M Facebook users globally, including 3M in the EEA.
  • Data ExposedNames, phone numbers, emails, and detailed personal profile data.
  • OutcomeIrish DPC fined Meta EUR 251M for design and security failures.
Impact Assessment

WHAT WAS EXPOSED

  • User access tokens for approximately 29 million accounts stolen through the "View As" feature exploit chain
  • For 15 million accounts: names, and either phone numbers, email addresses, or both
  • For 14 million accounts: extensive personal details including name, phone number, email, username, date of birth, gender, language, relationship status, religion, hometown, current city, education, work, device types, pages followed, last 10 places checked in, and 15 most recent searches
Compliance Impact

REGULATORY ANALYSIS

The breach resulted from the interaction of three distinct software bugs. The "View As" feature incorrectly generated a user access token for the profile being viewed. A 2017 video uploader change caused it to appear within "View As" and generate tokens with full permissions. The DPC found violations of Article 25(1) (data protection by design), Article 25(2) (data protection by default--tokens should have used minimum permissions), Article 33 (insufficient initial breach notification), and Article 32 (failure to implement appropriate technical measures).

The fine comprised EUR 240 million for Article 25 violations (EUR 130 million for Article 25(1) and EUR 110 million for Article 25(2)) and EUR 11 million for Article 33 violations (EUR 8 million for Article 33(3) and EUR 3 million for Article 33(5)).

References

SOURCES

Irish DPC Decision IN-18-8-7, EDPB Guidelines 9/2022, Facebook Security Update September 2018, GDPR Articles 25, 32, 33, 83

Related Analysis

Related Intelligence

Meta Fined €1.2B for Illegal EU-to-US Data Transfers
May 2023 · €1.2B fine
Meta/Facebook: $5 Billion FTC Fine for Cambridge Analytica
Jul 2019 · $5B fine
LinkedIn Fined €310M for Behavioral Ad Targeting
Oct 2024 · €310M fine
TikTok Fined €530M for Sending EU Data to China
May 1, 2025 · €530M fine
British Airways Fined £20M for Magecart Payment Card Breach
Oct 2020 · £20M fine
MORE REGULATORY ENFORCEMENT →