Facebook just can't catch a break.
In a blog post, Facebook VP Guy Rosen said that the breach stemmed from a vulnerability in Facebook's 'View As' feature, which lets users preview what their profiles look like from the perspective of another user.
"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts," he wrote. Access tokens are the mechanism that allows users to access their accounts without entering their passwords every time.
Rosen said that the vulnerability had been fixed and that law enforcement was also notified of the attack. But for Facebook, the incident is likely far from resolved.
Facebook shares slid 1.6% during Monday trading, extending a streak of bad news for the company that also included the abrupt departure of two Instagram executives last week. The security breach disclosed on Friday ensures that the spotlight may not ease up anytime soon.
"Facebook is in for some rough sledding here -- because of the nature of the breach, the scope and the potential depth of the impact," said Scott Vernick, a partner at Fox Rothschild LLP specializing in privacy and security. "If they thought they were off the hot seat, now they're right back on that hot seat."
Facebook's handling of user data has been under scrutiny for the better part of a year, but unlike in the Cambridge Analytica scandal -- which involved the improper sharing of data with third parties -- Friday's breach was the result of an outside attack. And it could ramp up efforts to regulate Facebook and other technology companies, whether by way of financial penalties, legislative efforts or both.
In Europe, Facebook could face a fine totaling as much as $1.63 billion if it's found that Facebook violated terms of the General Data Protection Regulation (GDPR), the European Union's sweeping consumer privacy law. GDPR contains a provision that companies can be fined 4% of their annual revenue if they violate the law, which encompasses rules on protecting data and a requirement that regulators must be notified within 72 hours of a breach. Ireland's Data Protection Commission, which oversees Facebook under GDPR, is heading up an investigation into the breach.
In the U.S., the breach is likely to intensify discussions of a federal privacy law. Last week, a group of technology executives -- including execs from Alphabet (GOOGL) , Amazon (AMZN) Apple (AAPL) , Twitter (TWTR) , AT&T (T) and Charter Communications (CHTR) -- met with a Senate committee to discuss their various efforts to protect user privacy, and what a national law may look like. California recently passed a consumer privacy law, which takes effect in January 2020.
"When this kind of thing happens, all the regulators, politicians and legislators ramp up their efforts," Vernick added.
While hacks and data breaches are all too common, a breach of Facebook -- which has well over a billion users worldwide -- could have far-reaching ripple effects for the U.S tech industry.
"The grand bargain of the Internet is really up for question, that consumers fork over info in return for free service, or for the ease of use in other products, and whatever benefits come along with that," Vernick added. "Consumers are starting to question that grand bargain, and at least in the United States, come closer to a European view as opposed to an American view."