It prompted immediate lawsuits, an FBI investigation and a crisis press conference with Mark Zuckerberg, the Facebook chief executive, who vowed: “This is a very serious security issue, and we’re taking it very seriously.”
But according to internal documents, released as part of a lawsuit against the firm, Facebook had repeatedly failed to adequately address concerns raised as early as December 2017 by its own engineers, who feared that access tokens would be “easy” for criminals to exploit.
After the breach, which was the largest in Facebook’s history and affected three million people in the European Union, employees said technical changes that could have stopped the hack were never completed, with one saying the warnings were “almost all ignored”.
Another wrote: “It hurts knowing that if our stuff was done faster [or] in a better state this could have been prevented… this is something I worked on but didn’t finish. The guilt really decided to sucker punch me.”
In response to inquiries from The Telegraph, a Facebook spokesman denied the company had ignored warnings about access tokens, saying that engineers had already begun working to solve the problem when the breach occurred.
He said the security problems raised by the employees alone could not have caused the breach, which were described as the result of an unusual combination of different glitches that the company did not anticipate.
Still, the disclosures shed new light on Facebook’s failures to protect data after multiple privacy and security scandals that have resulted in billions in fines and government scrutiny.
The documents were disclosed as part of legal action launched by US victims of the hack. The lawsuit claimed that Facebook had not done enough to prevent the vulnerability because it was concerned that it would create technical problems and damage revenues.
“Facebook chose money over security,” the plaintiffs alleged.
Last month, Facebook agreed to settle the case without admitting any responsibility or paying damages, although it will pay the plaintiffs’ legal costs as determined by a court.
The settlement requires Facebook to certify that the flaws that led to the attack have been fixed and to adopt a security plan designed to prevent future attacks. The company continues to “vigorously” contest other lawsuits outside the US, which it describes as “without merit”.
A spokesman said: “While we have reached an agreement in this matter, we know that attackers will continue to try to compromise our systems. That’s why we’ll keep investing in security to improve our detection capabilities and harden our defences.”
The unidentified hackers exploited a glitch in Facebook’s “View As” feature, which lets users check their privacy settings.
Concerns about the access tokens were first raised in December 2017, when employees noticed that the tokens were not expiring when users logged out. One security engineer argued that a feature involving them could create an “easy” loophole for hackers. Employees continued to press the issue throughout 2018, but according to the documents it was abandoned each time.
Facebook’s settlement still needs to be approved by William Alsup, the US judge who has previously said that the company’s “repetitive” privacy breaches proves a “long-term need for supervision”.