Yet another Facebook data scraping triggers new lawsuit
News of another massive data leak at Facebook was recently reported, the latest of several high profile incidents involving the social media giant. On October 21 this year, Facebook filed a lawsuit against a Ukrainian hacker for allegedly scraping information from 178 million user profiles and then attempting to sell the data on Dark Web hacker forums.
‘Data scraping’ or ‘web scraping’ is the unauthorized (and illegal if personal data is involved) copying of data from a website or application. According to Facebook, between January 2018 and September 2019, the hacker allegedly exploited the ‘Contact Importer’ feature in Facebook’s Messenger application that allowed users to upload their contact list directly from their smartphones to find friends on the site through their phone numbers.
Using bots that emulated Android smartphones and tablets, the individual in the lawsuit is accused of uploading millions of random phone numbers to Facebook’s servers via the Messenger app to find matching profile IDs. If a Facebook profile matched an uploaded phone number, Messenger would show the hacker or data scraper the name and associated Facebook ID corresponding to that phone number.
When combined with other data leaks and breaches that contain more bits of personal information and contact details to create an aggregated data file, such information can be used to target individuals and hack into their banking, social media, and other accounts to commit financial crimes. The data can also be abused to send email spam, make robocalls, and carry out blackmail, espionage, harassment, defamation, identity impersonation, and other criminal activities.
This is not the first time the Messenger Contact Importer feature was exploited to scrape Facebook profile data. In April this year, profile names, phone numbers, Facebook ID numbers, email addresses, locations, gender, work information and other data for 533 million Facebook users were scraped using the same tactic and sold on an underground Dark Web hacker forum. Facebook claimed that this earlier leak also occurred from 2018-19, and that after this incident, the contact import feature was no longer being used.
Can companies sue the scrapers?
As we explained in our blog on the LinkedIn data leak, a United States court judgment ruled that publicly available profile information that users voluntarily provided were not protected by data privacy laws, and that the company involved in the LinkedIn scraping lawsuit was indeed permitted by the judge hearing the case to continue their collection of public profile data on LinkedIn. Facebook’s legal filings in this case claimed that though the Ukrainian hacker could indeed access publicly available profile data, he broke the law and Facebook’s terms of service by offering to sell that data on the Dark Web. The social network seeks to ban the hacker from using Facebook’s website and apps and collect legal damages for the sale of the scraped data. According to Facebook’s legal team, the same hacker had also scraped and sold personal data from several other well-known organizations, including the largest private delivery service and biggest commercial bank in Ukraine, as well as a French data analytics firm.
With such massive data leaks taking place at firms with enormous resources such as Facebook and LinkedIn, how can smaller companies protect their user and enterprise data and defend against sophisticated bots that can be easily bought online and deployed against them to carry out a range of harmful attacks? The fact is, every company, large or small, could be a potential target for bot attacks. As Web technologies develop and many sites and apps increasingly rely on APIs for essential functionality and seamless functionality, it is crucial for security chiefs to implement a dedicated bot management solution that can protect websites, apps and APIs from the danger posed by bots deployed with malicious intentions.
How can scraping attacks be prevented?
As bot technologies rapidly advance in their sophistication and ability to mimic human behavior on websites and apps, conventional security measures based on blocklists, and showing CAPTCHAs to suspected bots can no longer provide adequate security. The need of the day is for specialized solutions such as Radware Bot Manager that leverage machine learning, artificial intelligence, collective bot signature databases, and intent detection that analyze potentially malicious behavior in real time to prevent harmful attacks before they can start.
Apart from the legal penalties that could be imposed on a company under the GDPR or CCPA data protection regulations, user lawsuits and media coverage can serious harm the brand value, reputation, and user trust in enterprises that are victims of bot attacks that exfiltrate personal data ─ especially considering the massive scale that leaks and breaches can achieve with the use of sophisticated bots deployed on a large scale. While the cost to cybercriminals using bots is low, the damage to their victims can sometimes be irreparable.