Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Facebook told staff but not users about single sign-on risks, says court filing

The judge in the case says he'll allow 'bone-crushing discovery'.

Plaintiffs in a court case against Facebook have argued that the social network knew about the security risks that lead to a major hack in 2018 but did not warn their users about them.

Facebook suffered a massive breach last year which affected up to 29 million users. There were concerns at the time that hackers could use the compromised accounts to log in to other services using the Facebook Login feature, though investigators found that this had not occurred.

The court case, filed in the US District Court for the Northern District of California in San Francisco, focuses on the dangers of Facebook offering a single log-in tool for signing into to third-party apps and services. If a user's Facebook account is compromised, their other accounts can be at risk as well.

Facebook was aware of this risk, as they warned their own employees about the security issues with the single sign-on tool, according to court filings seen by Reuters. However, that warning was not extended to the public.

US District Judge William Alsup, who has previously presided over tech cases involving Oracle and Google and Waymo, said in January he would allow "bone-crushing discovery" to get to the bottom of how the user data was compromised. This potentially allows the plaintiffs' lawyers to open Facebook records, letting them piece together what really happened.