Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Privacy Security The Courts

The Man Who Stole and Then Sold Data on 178 Million Facebook Users Gets Sued by Facebook (therecord.media) 70

"Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its website and selling the personal data of more than 178 million users on an underground cybercrime forum," reports the Record. According to court documents filed Friday, the man was identified as Alexander Alexandrovich Solonchenko, a resident of Kirovograd, Ukraine. Facebook alleges that Solonchenko abused a feature part of the Facebook Messenger service called Contact Importer. The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger. Between January 2018 and September 2019, Facebook said that Solonchenko used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers. As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later collected and offered for sale on December 1, 2020, in a post on RaidForums, a notorious cybercrime forum and marketplace for stolen data.
The article also notes that Facebook's court documents say Solonchenko scraped data from some of the largest companies in the Ukraine, including its largest commercial bank and largest private delivery service.

And the Record points out that he's not the only person known to have this hole to scrape Facebook's user data and then sell it on the forum.) Days after another incident in April involving 533 leaked phone numbers of Facebook user, Facebook "revealed that it retired the Messenger Contact Importer feature back in September 2019 after it discovered Solonchenko and other threat actors abusing it."
This discussion has been archived. No new comments can be posted.

The Man Who Stole and Then Sold Data on 178 Million Facebook Users Gets Sued by Facebook

Comments Filter:
  • by Opportunist ( 166417 ) on Sunday October 24, 2021 @06:50AM (#61921765)

    You can sue the competition out of business?

  • by dromgodis ( 4533247 ) on Sunday October 24, 2021 @06:53AM (#61921771)

    Is this a slightly more involved version of the USAmerican politician that sues a newspaper because the government published private information to anyone?

  • Stole? (Score:4, Insightful)

    by vbdasc ( 146051 ) on Sunday October 24, 2021 @07:05AM (#61921779)

    Was there a theft? What I got from the story tells me that the man merely took what FB was offering freely. Did he hack their servers or what?

  • by bluegutang ( 2814641 ) on Sunday October 24, 2021 @07:08AM (#61921787)

    Isn't Facebook's entire profit model based on extracting and selling users' data?

    • Exactly. Where do you think the damages come from? Whatever he made is money FB says should have gone to it instead.
    • Not really, at least they don't officially claim to sell user data.
      They sell ads tailored to users based on the data they have.
  • Fortunately (Score:4, Funny)

    by zenlessyank ( 748553 ) on Sunday October 24, 2021 @07:17AM (#61921797)

    The award money will go back to the users whose data was stolen.

    O wait...

    • Now now. That wouldn't be right. Look at the all lost revenue/opportunity for revenue FB here. Whoever he sold it to might have bought it from them otherwise!
  • by JoeyRox ( 2711699 ) on Sunday October 24, 2021 @07:32AM (#61921813)
    He scraped phone numbers from Facebook, who itself scraped from users of its 2FA system.
  • You can't steal data (Score:3, Interesting)

    by nospam007 ( 722110 ) * on Sunday October 24, 2021 @07:43AM (#61921831)

    He just copied it, the data is still there, I checked.

    • Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff.

      However, don't expect the insurance company to pay up if you leave your front door open and you get burglarized.

      Translated to the FB case, it means the Ukrainian man should be judged and sentenced, and FB should get ziltch in compensation - and possibly held to account for their poor security.

      • But, to stay with your analogy, he didn't at all enter the house. He barely built a device to automate knocking at the door and asking for a gentle gift in the same way his own phone does when he runs the facebook app.
        facebook acts like a baker sueing the sparrows after he found out his housekeeper had thrown the crumbs out on the street to feed the songbirds.

        • "But, to stay with your analogy, he didn't at all enter the house. He barely built a device to automate knocking at the door and asking for a gentle gift in the same way his own phone does when he runs the facebook app."

          Took his phone out and took a photo of the doorbells with the names of all the people living there.

          • Took his phone out and took a photo of the doorbells with the names of all the people living there.

            Not exactly because:

            The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger.

            So he looked through their windows and saw notepads with the phone numbers of their friends, which he photographed. He didn't even need to break the window - the notepads were right next to the windows.

      • "Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff."

        Agreed, but if I'm in the street I can draw, photograph, film anything that I can see on your property.

        If you leave your front-door open I can even film through there.

      • Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff.

        Actually they can: Web scraping is now legal [medium.com]
      • Translated to the FB case, it means the Ukrainian man should be judged and sentenced

        This is a civil case, not a criminal case.

  • Unfair competition (Score:3, Insightful)

    by Reiyuki ( 5800436 ) on Sunday October 24, 2021 @08:08AM (#61921871)
    To be clear, Facebook sells all of this user data (and much more) to anyone willing to pay for it.
    • No. The user data kept secret, allowing them to continuously sell targeted ad space. Companies like Facebook know better than to actually sell your contact info and browsing habits to some local car dealer or whatnot, because there would be lawsuits up the ass if they tried.
      • In theory, mass-market ad data can be anonymized. In practice, any large dataset contains enough data to fingerprint the majority of the users in that dataset. https://techcrunch.com/2019/07... [techcrunch.com]
        • Facebook wouldn't need to anonymize their user data because that data isn't being released or revealed to others outside Facebook. I don't see how the article you linked relates to your original point.
  • by CoolDiscoRex ( 5227177 ) on Sunday October 24, 2021 @08:37AM (#61921891) Homepage

    What happened to Facebookâ(TM)s binding arbitration clause? I thought they favored arbitration as the most just form of dispute resolution? If they take him to court, they could be jeopardizing future instances where they try to compel arbitration. The court usually takes a dim view of adhesion contracts which lack mutual assent.

  • by delirious.net ( 595841 ) on Sunday October 24, 2021 @08:51AM (#61921929)
    We have the data and we don't give a fuck, an IP can retrieve as much unique data points publicly as it wants.

    Data only please, security is optional, coz we don't care.
    It is here. But don't touch it! or else..
  • NOOOO, you can't just steal users' data and sell it! That's our job!

  • The combination of name+phone used to be available in books for free.
  • Comment removed based on user account deletion
    • by ebvwfbw ( 864834 )

      It sure sounded like a classic attack like I see on e-mail servers all the time.

      • Comment removed based on user account deletion
        • Comment removed based on user account deletion
        • by ebvwfbw ( 864834 )

          Legal fiction? LOL. I was trying to figure out why you were objecting to being right. I think I skipped the last part of what you said.

          To say that you cannot steal anything from a server remotely is absolutely false and dangerously ignorant. You absolutely can steal stuff from a server just like you can steal stuff from a grocery store. This very thing is reported on slashdot from time to time.

          If you're going to be pedantic, I'm not interested. Don't waste our time.

          • Comment removed based on user account deletion
          • Comment removed based on user account deletion
            • by ebvwfbw ( 864834 )

              You are funny.

              "Don't waste our time", the poster expressed. as he killed some time playing slashdot discussion.

              And yet you did precisely that.

              You are given permission to look at it. Not harvest and then sell the data. I think you know it. That gets back to the disingenuousness of your first response about it being a legal fiction.

              You're the funny one. Not just one response - I get two! LOL.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...