The Man Who Stole and Then Sold Data on 178 Million Facebook Users Gets Sued by Facebook

"Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its website and selling the personal data of more than 178 million users on an underground cybercrime forum," reports the Record. According to court documents filed Friday, the man was identified as Alexander Alexandrovich Solonchenko, a resident of Kirovograd, Ukraine. Facebook alleges that Solonchenko abused a feature part of the Facebook Messenger service called Contact Importer. The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger. Between January 2018 and September 2019, Facebook said that Solonchenko used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers. As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later collected and offered for sale on December 1, 2020, in a post on RaidForums, a notorious cybercrime forum and marketplace for stolen data.
The article also notes that Facebook's court documents say Solonchenko scraped data from some of the largest companies in the Ukraine, including its largest commercial bank and largest private delivery service.

And the Record points out that he's not the only person known to have this hole to scrape Facebook's user data and then sell it on the forum.) Days after another incident in April involving 533 leaked phone numbers of Facebook user, Facebook "revealed that it retired the Messenger Contact Importer feature back in September 2019 after it discovered Solonchenko and other threat actors abusing it."

That works?

[Opportunist]

You can sue the competition out of business?

Re: That works?

[RegistrationIsDumb83]

'Nobody sells our user's data but us!'

Re: That works?

[mSparks43]

The Facebook/google collaberation has no problem with others selling their data, this guys crime was selling it openly and cheap while telling people he got it from froogle.

Re:

[hey!]

Why is this modded "Funny" rather than "Insightful"?

Re: That works?

[IdanceNmyCar]

Because sometimes humor is insightful and we don't live in a world of states totally dictated by a singular dimension. Yin and yang on that, biatch.

Re:That works?

[vbdasc]

Especially when you're one of the biggest companies worldwide, and you sue the competition, who happens to be a poor person living in a poor country, in an American court, it looks more like a d!ck move than anything.

Re:

[Anonymous Coward]

It's the American way.

Re: That works?

[bumblebees]

Yes! Because American law applies everywhere in the world! (Rolling my eyes.. )

Re:

[Anonymous Coward]

I forgot to mention that for the American way you also need to maintain the "by the bootstraps" and "creating jobs" narrative.

Then the little guy will think "Darn right! That could totally be me if I wanted to! I'm just so busy with other stuff", will proceed to pop open a cold Bud Light and go shoot some squirrels that weren't bothering anyone.

Re:

[nightflameauto]

Fuck you. Squirrels are little fuckers and constantly bother everyone. They get what's coming to them.

Re: That works?

[bumblebees]

Wait. Its not even a law he broke! He just broke FB eula... the one noone ever reads.

Re: That works?

[IdanceNmyCar]

As opposed to all the EULA people actually read...

Same pattern

[dromgodis]

Is this a slightly more involved version of the USAmerican politician that sues a newspaper because the government published private information to anyone?

Re:

[Impy the Impiuos Imp]

If he did something illegal to get the data, yes he could be sued, or even prosecuted. This is the argument about Julian Assange: did he just receive the info and publish it (protected) or did he help with the illegal extraction of the information with money or instructions?

Are there cases like you said? You can't use the government to censor through the courts to get around the First Amendment, either, though they are allowing takedown orders of libelous speech that has been judged so as the outcome of

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[phantomfive]

Web scraping has been tested in court, and found to not be illegal [medium.com].

Maybe he violated a different law, but it seems unlikely.

Re: Same pattern

[IdanceNmyCar]

I am pretty sure it falls under EULA but how this relates to web scrapping is not clear. If the scrapping requires credentials, that's probably the catch. I think that's the basis here but purely a guess.

Re:

[phantomfive]

Yeap. I skimmed the lawsuit (linked in the summary/article), and Facebook is accusing him of violating their terms and conditions.

Stole?

[vbdasc]

Was there a theft? What I got from the story tells me that the man merely took what FB was offering freely. Did he hack their servers or what?

Re: Stole?

[Ronin Developer]

He did automate their Contacr tool to appear as one or more new Android devices to collect the info.

Perhaps, by misrepresenting himself, that could be considered âoehackingâ and âoedeceptionâ.

Re: Stole?

[Ichijo]

So if Facebook wins this, signing up with a false name will fall under the crime of hacking. Crafty!

Re: Stole?

[IdanceNmyCar]

In bulk clearly but as an individual, maybe not. Interesting point though.

Re:

[gtall]

Perhaps by misrepresenting their technology, Facebook hopes to dissuade others from selling user information before Facebook does.

Re:

[phantomfive]

According to the complaint in the link, Facebook is accusing him of violating terms of service, not of hacking.

Perhaps they are suing him because they know he will not defend himself in a US court, and they are hoping to get a favorable precedent set to sue other people who violate the terms of service.

Re: Stole?

[mSparks43]

Yes, Facebook expect to be paid when their user data is bought.

Pot calling the kettle black

[bluegutang]

Isn't Facebook's entire profit model based on extracting and selling users' data?

Re:

[shaitand]

Exactly. Where do you think the damages come from? Whatever he made is money FB says should have gone to it instead.

Re:

[sysstemlord]

Not really, at least they don't officially claim to sell user data.
They sell ads tailored to users based on the data they have.

Fortunately

[zenlessyank]

The award money will go back to the users whose data was stolen.

O wait...

Re:

[shaitand]

Now now. That wouldn't be right. Look at the all lost revenue/opportunity for revenue FB here. Whoever he sold it to might have bought it from them otherwise!

Scrape my back, I'll scrape yours

[JoeyRox]

He scraped phone numbers from Facebook, who itself scraped from users of its 2FA system.

You can't steal data

[nospam007]

He just copied it, the data is still there, I checked.

Re:

[Rosco P. Coltrane]

Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff.

However, don't expect the insurance company to pay up if you leave your front door open and you get burglarized.

Translated to the FB case, it means the Ukrainian man should be judged and sentenced, and FB should get ziltch in compensation - and possibly held to account for their poor security.

Throwing out crumbs, then sue the sparrows

[daniel23]

But, to stay with your analogy, he didn't at all enter the house. He barely built a device to automate knocking at the door and asking for a gentle gift in the same way his own phone does when he runs the facebook app.
facebook acts like a baker sueing the sparrows after he found out his housekeeper had thrown the crumbs out on the street to feed the songbirds.

Re:

[nospam007]

"But, to stay with your analogy, he didn't at all enter the house. He barely built a device to automate knocking at the door and asking for a gentle gift in the same way his own phone does when he runs the facebook app."

Took his phone out and took a photo of the doorbells with the names of all the people living there.

Re:

[infolation]

Took his phone out and took a photo of the doorbells with the names of all the people living there.

Not exactly because:

The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger.

So he looked through their windows and saw notepads with the phone numbers of their friends, which he photographed. He didn't even need to break the window - the notepads were right next to the windows.

Re:

[nospam007]

"Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff."

Agreed, but if I'm in the street I can draw, photograph, film anything that I can see on your property.

If you leave your front-door open I can even film through there.

Re:

[JoeyRox]

Just because you leave your front door open doesn't mean you give random strangers in the street the right to come in and help themselves to your stuff.

Actually they can: Web scraping is now legal [medium.com]

Re:

[phantomfive]

Translated to the FB case, it means the Ukrainian man should be judged and sentenced

This is a civil case, not a criminal case.

Unfair competition

[Reiyuki]

To be clear, Facebook sells all of this user data (and much more) to anyone willing to pay for it.

Re:

[skoskav]

No. The user data kept secret, allowing them to continuously sell targeted ad space. Companies like Facebook know better than to actually sell your contact info and browsing habits to some local car dealer or whatnot, because there would be lawsuits up the ass if they tried.

Re:

[Reiyuki]

In theory, mass-market ad data can be anonymized. In practice, any large dataset contains enough data to fingerprint the majority of the users in that dataset. https://techcrunch.com/2019/07... [techcrunch.com]

Re:

[skoskav]

Facebook wouldn't need to anonymize their user data because that data isn't being released or revealed to others outside Facebook. I don't see how the article you linked relates to your original point.

Wait

[CoolDiscoRex]

What happened to Facebookâ(TM)s binding arbitration clause? I thought they favored arbitration as the most just form of dispute resolution? If they take him to court, they could be jeopardizing future instances where they try to compel arbitration. The court usually takes a dim view of adhesion contracts which lack mutual assent.

A good show of faith for Facebook users.

[delirious.net]

We have the data and we don't give a fuck, an IP can retrieve as much unique data points publicly as it wants.

Data only please, security is optional, coz we don't care.
It is here. But don't touch it! or else..

REEEE

[systemd-anonymousd]

NOOOO, you can't just steal users' data and sell it! That's our job!

Who Cares?

[Luthair]

The combination of name+phone used to be available in books for free.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ebvwfbw]

It sure sounded like a classic attack like I see on e-mail servers all the time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ebvwfbw]

Legal fiction? LOL. I was trying to figure out why you were objecting to being right. I think I skipped the last part of what you said.

To say that you cannot steal anything from a server remotely is absolutely false and dangerously ignorant. You absolutely can steal stuff from a server just like you can steal stuff from a grocery store. This very thing is reported on slashdot from time to time.

If you're going to be pedantic, I'm not interested. Don't waste our time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ebvwfbw]

You are funny.

"Don't waste our time", the poster expressed. as he killed some time playing slashdot discussion.

And yet you did precisely that.

You are given permission to look at it. Not harvest and then sell the data. I think you know it. That gets back to the disingenuousness of your first response about it being a legal fiction.

You're the funny one. Not just one response - I get two! LOL.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ebvwfbw]

Sorry but the premise that a person has ownership after it leaves their possession is not supported by this universe.

What? To me this is like someone saying the sky is red. Why do you think this?

Of course I still have ownership after things leave my possession. I drop my car off at Goodyear to have the tires changed. You're saying I don't own the car anymore? I checked in a pistol at the gun shop to be worked on. It's not my pistol anymore? Of course they are still mine. I own them. There is LOTS of case law on this.

In the information sense you're still wrong. I've seen cases where a salesman made off with a companies cli

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion