On October 21, 2021, Facebook filed a lawsuit against a Ukrainian citizen for allegedly scraping information of 178 million users of the social network and selling the data on hacker forums.
Reportedly, the data scraping occurred between 2018 and 2019. Also called web scraping, data scraping refers to importing massive amounts of data from a website and storing it on a local device in a spreadsheet or document.
It is worth noting that in January 2021, Facebook also sued a Portuguese company for developing malicious Chrome extensions allowing data scraping.
Is data scraping illegal?
Depending on its use web data scraping is an illegal technique in which a computer program (bots) extracts data from a website.
Cybercriminals can access this information in case proper security measures are not implemented. For instance, malicious elements can use ‘scraper bots’ to extract private information anonymously.
Who’s facing the lawsuit?
The lawsuit is filed against a freelance computer programmer Alexander Solonchenko from Kirovograd, Ukraine, who used the online handles of barak_obama and Solomame to carry out his objectives.
Court documents revealed that the programmer could access and sell user IDs and contact numbers, which are publicly available but obtaining and selling the data is against Facebook’s terms of service.
According to reports, in 2018, Solonchenko scraped the personal details of Facebook users exploiting the contact import feature of Facebook, which the company discontinued in Sep 2019.
Using this feature, he could sync users’ contact lists to identify which contacts had an account on Facebook to reach out to them on Messenger. The defendant then fed Facebook servers with millions of random phone numbers.
Facebook claims that he used an automated tool to mimic Android devices in this attack. Whenever the company returned the info to accounts associated with the phone numbers fed to its servers, he collected it.
The programmer allegedly tried to sell the stolen data on the clearnet cybercrime and hacker forum called RaidForums in October 2020. Facebook also stated that the defendant exploited the feature between Jan 2018 and September 2019, which means the data heist continued for more than 21 months.
About Contact Importer Feature
This feature allowed users to upload their contact list directly from their address books onto their mobile devices and provided them with a one-to-one list of users whose phone numbers matched the numbers uploaded from a device’s address book. This functionality was included to let users identify friends through their contact information.
How Did Facebook Track the programmer?
Facebook tracked down the programmer after mistakenly using the same username and contact information on email and job portals. It turned out that the Ukrainian programmer had scraped and sold data from several other high-profile firms and organizations, including Ukraine’s largest private delivery service, largest commercial bank, and a France-based data analytics firm.
After tracking him down, Facebook quickly filed a lawsuit with the Federal District Court for the Northern District of California and requested the judge to ban Solonchenko from accessing its website and selling the scraped data apart from seeking undefined damages.