In Adkins v. Facebook, Inc., No. C 18-05982 WHA, 2020 U.S. Dist. LEXIS 214006 (N.D. Cal. Nov. 15, 2020), Judge Alsup granted preliminary approval of the Facebook data breach class action.
This case arises from the September 2018 hack of Facebook. A prior order detailed the facts (Dkt. No. 153). In brief, certain access tokens permitted access to Facebook users’ accounts, but a previously unknown vulnerability made these tokens sometimes visible to strangers. Hackers exploited this flaw in September 2018 to access 300,000 accounts. Once inside, the hackers ran two search queries. The first yielded the names and telephone numbers and/or e-mail addresses of fifteen million users worldwide (2.7 million in the United States). The second yielded more sensitive information on fourteen million users worldwide (1.2 million in the United States), including the original 300,000.
The class doesn’t receive anything from a financial standpoint, but the scope of the release reserves the right of class members to seek damages on their own. The terms are as follows:
The proposed settlement imposes a battery of security commitments to prevent future similar attacks. Facebook will certify that the vulnerability exploited in the breach has been eliminated, that it is no longer possible to generate access tokens in the manner that was done in the breach, and that all access tokens generated through the vulnerability have been invalidated. Then, for the next five years, Facebook will adopt the following security commitments to prevent future attacks: (1) Increase the frequency of integrity checks on session updates to detect account compromises. (2) Implement new tools to detect suspicious patterns in the generation and use of access tokens [*5] across Facebook. (3) Implement new tools to help Facebook promptly contain a security incident involving the improper issuance of access tokens. (4) Implement automatic alerts for specified types of suspicious activity to ensure prompt response. (5) Undergo annual SOC2 Type II security assessments. (6) Limit the capabilities of applications that rely on access tokens. (7) Eliminate “NoConfidence authentication proofs” and require cryptographic proofs of valid logins before generating credentials. (8) Employ at least one senior security executive with direct reporting authority and obligations to Facebook’s Board of Directors. (9) Expand the logging of access token generation and use metadate to facilitate the detection, investigation, and identification of the compromise of user access tokens. Compliance with these commitments will be assessed annually by an “unbiased, independent third-party vendor selected by Facebook,” though with class counsel’s approval. Other than sharing the results with the Court and an expert retained to verify compliance, class counsel will keep the results confidential. For the present purposes, the proposed settlement is adequate.