Facebook is already facing immense fallout from revelations this morning that a hacker exploited a security flaw in a popular feature of the social network to steal account credentials of as many as 50 million users. The company is now facing a class-action complaint filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. Both allege that Facebook’s lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach.

The lawsuit was filed today in US District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California’s Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys’ fees and expenses.

Facebook doesn’t know who the hacker is or how severe the attack was

Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred. The company began notifying affected users this morning with a message on its website and mobile app, and it’s been holding a series of calls with reporters throughout the day to brief them on technical details and other information as it arises. Still, this is among the more serious breaches Facebook has ever suffered. It will likely only intensify criticism of the company’s handling of user data and its privacy policies in the wake of the Cambridge Analytica scandal earlier this year, in which more than 70 million users’ personal info was packaged and sold to a data-mining firm without their consent.

As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, “We’re looking into Facebook’s massive data breach. New Yorkers deserve to know that their information will be protected.” Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, “I want answers.” In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is “deeply concerning” and calling for a full investigation.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” reads the statement from Warner, who is the vice chairman of the Senate Select Committee on Intelligence and the co-chair of the Senate Cybersecurity Caucus. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over.”