European Union privacy watchdogs have hit Facebook owner Meta with fines totalling €251m after an investigation into a 2018 data breach on the social media platform that exposed millions of accounts.
Ireland’s Data Protection Commission issued the penalties after wrapping up its inquiry into the breach, which happened when hackers gained access to user accounts by exploiting bugs in the platform’s code that allowed them to steal digital keys, known as access tokens.
Under the 27-nation EU’s strict privacy regime, the Irish watchdog is Meta’s lead privacy regulator because the company’s regional headquarters is in Dublin.
The watchdog issued reprimands and “administrative penalties” worth €251m after it found multiple infringements of the rules, known as the General Data Protection Regulation.
The company said it would appeal against the decision.
“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified,” Meta said in a statement.
The company said it “proactively informed people impacted” as well as the Irish watchdog.
When it first disclosed the problem, Facebook said 50m user accounts were affected, but the actual number was around 29m, including three million in Europe, the Irish watchdog said on.
The company has said that after discovering the bug, it alerted the FBI and regulators in the US and Europe.
The hack involved three distinct bugs in Facebook’s View As feature, which let people see how their profiles appear to others. The attackers used the vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the feature.
The attack then moved from one user’s Facebook friend to another. Possession of the tokens would allow attackers to control those accounts.