A class-action lawsuit over a 2018 breach of Facebook has another wrinkle: A new court filing reveals allegations that the social media company moved to protect its own employees from the exploited vulnerability while keeping users in the dark.
Facebook called the allegation, made public Thursday, “absolutely false.” The plaintiffs’ claim centers on the company’s handling of a problem with the “access token” that lets people into their profiles without having to log in every time they visit Facebook.
“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” says the court filing in the U.S. District Court for the Northern District of California. “Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”
A vulnerability in Facebook’s code allowed an attacker to steal the tokens. Facebook disclosed the breach last September, initially saying 50 million accounts were affected before revising that number to 30 million.
In a separate court filing in response to the allegations, Facebook’s lawyers said the lead plaintiff, Michigan resident Stephen Adkins, was “severely misrepresenting the record.” The document, also made public Thursday, said Facebook had asked Adkins to retract his allegation that the company shielded its employees from the breach, but not other users, or provide a “good-faith basis” it had. Adkins has done neither, according to the filing.
It is unclear how the new allegations will affect the case.
Lawyers for Adkins could not be reached for comment.
The Facebook breach was sweeping: Of those affected, 15 million people had their name and contact details, such as a phone number, email address or both, accessed. The class-action lawsuit alleges Facebook’s negligence on security issues exposed the plaintiffs to identity theft.
“We believe the case has no merit,” a Facebook spokesperson said. “We took immediate action to secure people’s accounts when we discovered the security vulnerability that we announced in September of last year, and we came forward consistently to explain what we had learned.”
Reuters was first to report on the court filing.