The flaw, which involved using the site’s “view as” and video uploader features, allowed hackers to steal Facebook’s access tokens and take over people's accounts. The company is still investigating whether it also allowed attackers to access more personal data such as direct messages.
According to the Wall Street Journal, Ireland’s Data Protection Commission, which is Facebook’s lead European privacy regulator, wants more information about the incident, including details on which EU citizens might have been affected.
The commission said it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
Under Europe’s recently introduced General Data Protection Regulation (GDPR) law, companies that fail to do enough to protect their customers’ data face a maximum fine of $23 million, or 4 percent of their global revenue for the prior year, which is where the $1.63 billion figure comes from. Firms must also notify regulators of breaches within 72 hours or face a maximum fine of 2% of their worldwide revenue—it appears that Facebook complied with this particular rule.
European regulators are yet to use the GDPR law to hand out a fine, so it remains to be seen whether Facebook will be the first to receive such a punishment. A spokeswoman for the company said it would respond to follow-up questions from Ireland’s DPC and keep regulators up to date with its investigations.
Guy Rosen, Facebook’s vice president of product, warned that the stolen access tokens could be used to access other third-party apps that use Facebook logins, such as Spotify, Tinder, and Instagram, though there has been no confirmation of any accounts being breached.