November 16, 2020

A California federal judge has signed off on a settlement resolving claims that Facebook negligently allowed a 2018 cyberattack that affected 29 million users, with the tech giant agreeing to reform its security protocols but not pay monetary damages.

U.S. District Judge William Alsup, who refused to rubber-stamp the agreement in March, gave the deal preliminary approval Sunday, after Facebook and the proposed class of users agreed to provide the court, but not the public, with copies of a third-party audit of Facebook's compliance with its security changes for the next five years.

The settlement does not call for the social media company to pay class members any monetary damages. Instead, Facebook has agreed to take a series of steps that the court believes will help the company avoid a repeat of the 2018 cyberattack, in which hackers exploited a security flaw in Facebook's "View As" feature — which lets users preview how their profiles appear to the public or friends — to access the personal data of 29 million users worldwide. 

. . .

Terms of the deal call for Facebook, which says it has already patched the security vulnerability that allowed for the 2018 incident, to certify annually that "it is no longer possible" for hackers to steal the type of access tokens — equivalent to digital keys that allow people to stay logged into Facebook without having to repeatedly re-enter their password — that were used in that breach.

The tech giant has also agreed to "increase the frequency of integrity checks on session updates to detect account compromises" and "implement new tools to detect suspicious patterns in the generation and use of access tokens across Facebook," among other changes, according to the order.

. . .

The users are represented by Andrew Friedman of Cohen Milstein Sellers & Toll PLLC, John Yanchunis of Morgan & Morgan Complex Litigation Group and Ariana Tadler of Tadler Law LLP.

The complete article can be viewed here.