SAN FRANCISCO (CN) – Mere hours after revealing that a security breach had compromised 50 million user accounts, Facebook was hit with a class action Friday afternoon seeking punitive damages for the exposure of private user data.
Lead plaintiff Carla Echavarria of California claims Facebook acted with “absolute disregard” for its users’ private information, and that its “lax and non-existent” security measures enabled hackers to swipe sensitive data that could subject users to identity theft or blackmail.
Facebook announced in a blog post Friday morning that it discovered the “security issue” on Tuesday relating to its “View As” feature and took immediate action to address the problem and report the incident to law enforcement.
“View As” allows users to see their own accounts the way other users see them.
The company said it fixed the vulnerability, temporarily shut down its “View As” feature, and reset access tokens for 50 million user accounts, along with another 40 million that accessed the “View As” feature in the last year.
But the lawsuit claims Facebook has not assessed the full scope of the data breach, nor has it identified the origin of the attack or identity of the hackers.
According to Echavarria’s complaint, the types of data compromised are especially valuable on the black market. Hackers may have gained access to names, birthdates, passwords, security question answers, email addresses, and phone numbers.
“Identity thieves can also use the [personally identifying information] to harm plaintiffs and class members through embarrassment, blackmail, or harassment in person or online, or to commit other types of fraud,” the 30-page complaint states.
This type of valuable personal data is most commonly sold to nefarious criminals on the “dark web,” and thieves can wait years before using someone’s private information to commit identity theft, according to the complaint.
A Facebook spokeswoman declined to comment on the litigation, but referenced Facebook’s comments regarding the security breach on its blog post.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Facebook stated in its blog post.
Echavarria wants Facebook to provide credit monitoring services for affected users and to pay statutory and punitive damages for the data breach. The complaint also claims violations of California’s business and customer data protection laws, deceit by concealment, and negligence.
Echavarria is represented by Joshua Watson of the Clayeo C. Arnold law firm in Sacramento.
The data breach follows a series of scandals that rocked the world’s most popular online social network earlier this year, including revelations that it shared 87 million users’ private data with Cambridge Analytica, a data-mining firm affiliated with Donald Trump’s presidential campaign.
Last month, Facebook was hit with another class action for sharing private data with mobile device makers, allegedly without its users’ knowledge or consent.
A separate spate of lawsuits accused the company of collecting Android phone users’ contacts, call histories and text message data without permission.
In July, Facebook’s market value dropped $119 billion in one day – one of the biggest one-day losses by any company in U.S. stock market history – after it announced that its user base and revenue grew more slowly than expected in its second quarter.
Facebook remains the world’s largest online social network with 1.47 billion daily active users and more than 2 billion monthly active users as of June 30, 2018.