Facebook knew about a huge security flaw that let hackers to steal personal data from millions of its users almost one year before the crime, yet failed to fix it in time, the Telegraph can reveal.

Legal documents show that the company was repeatedly warned by its own employees as well as outsiders about a dangerous loophole that eventually led to the massive data breach in September 2018.

Despite this, the loophole remained open for nine months after it was first raised, leading employees to later speak of their "guilt" and "hurt" at knowing that the attack "could have been prevented".

The breach, which involved stealing digital "access tokens" used by Facebook to verify users' identity without needing their passwords, exposed the names, phone numbers and email addresses of 29 million people and a host of more intimate data for 14 million of them, putting users around the world at risk of identity theft.

It prompted immediate lawsuits, an FBI investigation and a crisis press conference with Facebook's chief executive, Mark Zuckerberg, who vowed: “This is a very serious security issue, and we’re taking it very seriously."

Yet according to internal documents, released as part of a lawsuit against the company, Facebook had repeatedly failed to adequately address concerns raised as early as December 2017 by its own engineers, who feared that access tokens would be "easy" for criminals to exploit.

Early warning

After the breach, which was the largest in Facebook's history and affected three million people in the European Union, employees lamented that technical changes that could have stopped it from happening were never completed, with one alleging that the warnings were "almost all ignored".

Another wrote: "It hurts knowing that if our stuff was done faster [or] in a better state this could have been prevented... this is something I worked on but didn't finish. The guilt really decided to sucker punch me on this one." His colleague responded with a sad face emoticon.

In response to inquiries from the Telegraph, a spokesman for Facebook rejected the idea that it had ignored warnings about access tokens, saying that engineers had already begun working to solve the problem when the breach occurred.

He said that the problems with access tokens were not considered a higher priority because they alone could not have caused the breach, which he described as the result of an unusual combination of different glitches that the company did not anticipate.

Still, disclosures shed new light on Facebook's failures to protect user data after multiple privacy and security scandals that have resulted in billions in fines and government scrutiny.

Facebook accused of negligence

The documents were disclosed as part of a class action lawsuit launched by US victims of the hack, who accused the company of negligence and breach of contract in failing to protect the private information that it had lured them into handing over during the past decade.

The lawsuit claimed that Facebook had done nothing to prevent the vulnerability because it was concerned that it would create technical problems and damage revenues. “Facebook chose money over security,” the plaintiffs alleged.

Lawyers for the company disputed that claim, arguing that the hack had resulted from an "unforeseen" and "very obscure" combination of three separate glitches that was "completely unknown" to Facebook, and described any suggestion that Facebook had ignored the attack's causes as "baseless".

Last month, on Jan 17, Facebook quietly agreed to settle the case without admitting any responsibility or paying damages, though it will pay the plaintiffs' legal costs as determined by a court.

The settlement requires Facebook to certify that the flaws which led to the attack have been fixed and to adopt a security plan designed to prevent future attacks, which will be checked by an independent assessor every year for five years. The company continues to "vigorously" contest other lawsuits outside the US, which it describes as "without merit".

A spokesman said: “While we have reached an agreement in this matter, we know that attackers will continue to try to compromise our systems. That’s why we’ll keep investing in security to improve our detection capabilities and harden our defences.”