The breach impacted approximately 29 million Facebook accounts worldwide, including around three million within the EU/EEA. The compromised data included users’ full names, email addresses, phone numbers, locations, workplaces, dates of birth, religions, genders, timeline posts, group memberships, and children’s personal information.

The breach resulted from unauthorized third parties exploiting user tokens on the Facebook platform. Meta, along with its US parent company, addressed the issue shortly after its discovery.

The decisions were Issued by Data Protection Commissioners Dr. Des Hogan and Dale Sunderland. They included several reprimands and administrative fines totalling €251 million.

DPC Deputy Commissioner Graham Doyle emphasized the serious risks posed by the breach. He stated, “This enforcement action highlights how failing to integrate data protection measures into the design and development process can expose individuals to severe risks and harm, including threats to their fundamental rights and freedoms.”

Doyle noted that Facebook profiles often contain sensitive personal information, such as religious or political beliefs and sexual orientation, which users may intend to share only in specific contexts.

“The vulnerabilities that led to this breach allowed unauthorized exposure of such information, creating a grave risk of misuse,” he added.