Tech giant Facebook failed to warn users about the risks attached to its single sign-on tool despite taking steps to protect employees from dangers, according to a lawsuit. According to the suit, Facebook knew about the vulnerability but failed to fix it for years.

A recent report from Reuters states that a lawsuit filed against social media giant Facebook alleges that the site failed to warn users about the risks linked to its single sign-on tool even though the site protected employees from those risks. The lawsuit relates to Facebook’s worst security breach ever in September 2018 when hackers stole “access tokens” that gave them access to 29 million accounts.

The filing in the U.S. District Court for the Northern District of California in San Francisco states: “Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge. Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

Judge William Alsup told Facebook in January that he was willing to allow “bone-crushing discovery” in order to determine how much user data was stolen in the breach. Facebook claims that the attack only affected a “broad spectrum” of users without giving further details on which countries were most affected, etc.

14 million users affected by the breach had their birth dates, employers, education history, religious preference, types of devices used, pages followed, location check-ins and recent searches all collected by hackers. The other 15 million users only had their name and contact details stolen, hackers were also able to see the posts and friends lists of about 400,000 users.

Facebook did not respond to a request for comment from Reuters.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or email him at lnolan@breitbart.com