TikTok data breach exposed information of 2.4 billion users, new class action claims

California resident Sean Mortazi filed a class action lawsuit against TikTok Inc. on June 11, 2026, alleging a data breach exposed the personal data of more than 2.4 billion users worldwide.

The complaint, filed in the U.S. District Court for the Central District of California, claims TikTok stored unencrypted data and skipped basic security steps that could have stopped the attack.

What happened in the TikTok breach?

The complaint claims cybercriminals accessed one of TikTok's databases and pulled records tied to almost its entire user base. A hacker group reportedly posted the breach on an online forum on June 11, 2026, sharing sample records to back the claim.

The exposed information included names, usernames, email addresses, phone numbers, dates of birth, gender, language preferences and location data, according to the lawsuit. TikTok allegedly did not encrypt the data.

TikTok's alleged privacy promises

The complaint claims TikTok's privacy policy states, "Your privacy is a top priority at TikTok" and that it pledges reasonable measures to protect users' information from theft and misuse. These promises formed an implied contract with the hundreds of millions of people who handed over their details, the lawsuit alleges.

TikTok's business allegedly relies on collecting and monetizing user data, and the company reported roughly $50 billion in profit for 2025. The lawsuit says the company should have allocated those resources toward stronger protection.

TikTok skipped vital security steps, lawsuit alleges

Mortazi claims TikTok ignored many privacy safeguards. The complaint alleges the company failed to encrypt user data, skipped multifactor authentication and gave employees and systems far broader data access than they needed. It also claims TikTok did not operate a working intrusion detection, poorly monitored its network and did not employ tools to flag huge volumes of data leaving its servers.

The class action contends TikTok reported a breach in April 2025 that exposed nearly 1 million user passwords, which the complaint says alerted the company that its systems were a target. However, TikTok still failed to close the gaps in the months that followed, the lawsuit claims.

The legal claims

The complaint brings 10 counts against TikTok, including:

  • Negligence and negligence per se, claiming TikTok owed users a duty to protect their data and failed to meet it
  • Breach of implied contract, saying TikTok broke the security promises in its own privacy policy
  • Invasion of privacy, citing California common law and the state constitution
  • Unjust enrichment, claiming TikTok profited from data it did not adequately protect
  • California Consumer Privacy Act, requiring companies to guard residents' data with reasonable security
  • California Customer Records Act, mandating prompt notice to people caught in a breach
  • California Unfair Competition Law, barring unfair or deceptive business practices

What the case means for TikTok users

The proposed class covers a nationwide class of affected users, as well as a California subclass. There is no settlement, no claims process and no money available now. Mortazi seeks monetary damages, a court order forcing TikTok to tighten its security and a declaration that the company broke its legal duties to users. The allegations remain unproven in court.