Meta Fined $263 Million for Major Facebook Security Breach in EU.
The breach dates back to July 2017, when Facebook rolled out a video upload function that included a “View as” feature, which let the user see their own Facebook page as it would be seen by another user.
A bug in the design allowed malicious actors to invoke the uploader in conjunction with Facebook’s “Happy Birthday Composer” feature to generate a user token that gave them full access to the Facebook profile of that user. They could then use the token to exploit the same combination of features on other accounts, gaining unauthorized access to multiple users’ profiles and data, per the DPC.
Between September 14 and September 28, 2018, the watchdog said unauthorized people used scripts to exploit this vulnerability to log in to approximately 29 million Facebook accounts globally, around 3 million of which were based in the EU/European Economic Area.
Personal data impacted by the breach included Facebook users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups in which they were a member, and children’s personal data.
The broad sweep of impacted personal data is likely to have influenced the size of the fine.
In a recent ruling that underscores the importance of digital privacy, Meta has been fined $263 million due to a significant security breach on Facebook, which impacted around 3 million European Union users. The hefty penalty was imposed after regulators found that Meta failed to adequately protect user data, violating stringent EU data protection laws.
This incident, which exposes the vulnerabilities in digital platforms’ security measures, has sparked widespread concern about the safeguarding of personal information online. Authorities emphasized that the fine reflects the severity of the breach and the need for stringent compliance with data protection regulations.

As the fallout from the breach continues to unfold, this case serves as a critical reminder to all tech companies of the importance of robust cybersecurity measures and the legal repercussions of failing to uphold them. This decision is expected to have far-reaching implications for data security practices across the tech industry.