Facebook rejects new allegation that it protected employees over users in 2018 breach

The plaintiffs say the company knew about the problem with "access tokens" for years and chose to protect its own employees before fixing the problem for users.
Facebook, social media, mobile

A class-action lawsuit over a 2018 breach of Facebook has another wrinkle: A new court filing reveals allegations that the social media company moved to protect its own employees from the exploited vulnerability while keeping users in the dark.

Facebook called the allegation, made public Thursday, “absolutely false.” The plaintiffs’ claim centers on the company’s handling of a problem with the “access token” that lets people into their profiles without having to log in every time they visit Facebook.

“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” says the court filing in the U.S. District Court for the Northern District of California. “Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

A vulnerability in Facebook’s code allowed an attacker to steal the tokens. Facebook disclosed the breach last September, initially saying 50 million accounts were affected before revising that number to 30 million.


In a separate court filing in response to the allegationsFacebook’s lawyers said the lead plaintiff, Michigan resident Stephen Adkins, was “severely misrepresenting the record.” The document, also made public Thursday, said Facebook had asked Adkins to retract his allegation that the company shielded its employees from the breach, but not other users, or provide a “good-faith basis” it had. Adkins has done neither, according to the filing.

It is unclear how the new allegations will affect the case.

Lawyers for Adkins could not be reached for comment.

The Facebook breach was sweeping: Of those affected, 15 million people had their name and contact details, such as a phone number, email address or both, accessed. The class-action lawsuit alleges Facebook’s negligence on security issues exposed the plaintiffs to identity theft.

“We believe the case has no merit,” a Facebook spokesperson said. “We took immediate action to secure people’s accounts when we discovered the security vulnerability that we announced in September of last year, and we came forward consistently to explain what we had learned.”


Reuters was first to report on the court filing.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts