Facebook is suing two Ukranian men for running a years-long hacking scheme that ended up stealing personal data from social media users through quiz apps.
The Menlo Park-based company accused Gleb Sluchevsky and Andrey Gorbachov of scamming Facebook users into installing malware to their browsers. These malicious plug-ins hid in the form of "character and popularity" quizzes or horoscopes.
Facebook said it discovered the hackers' scheme "through an investigation of malicious extensions." The company promptly suspended all affected the accounts in October. It then contacted browser makers to have the malware removed.
Malicious Browser Plug-Ins
Sluchevsky and Gorbachov reportedly used four popular web apps including FQuiz and Supertest. Through this malware, the two men were able to victimize as many as 63,000 Facebook accounts, most of which were owned by Ukrainian and Russian users.
The scheme worked by presenting Facebook users with interesting quiz titles such as "What Kind of Person Do People Think You Are?" or "What Does Your Eye Color Say About You?"
These quizzes would then ask users to allow them to connect their profiles to third-party apps via the Facebook Login feature.
Once a user profile was connected, Sluchevsky and Gorbachov would then send and install malicious plug-ins to their victims' browsers. This would allow the hackers to mine accounts for private data, including personal information on the victims and everyone else on their friends' lists.
The culprits also used malware to forcibly "inject unauthorized advertisements" to Facebook News Feeds or other social media websites whenever victims of the scam go online. Facebook's complaint said Sluchevsky and Gorbachov caused the company to suffer to "irreparable reputational harm."
The company has accused the Ukrainian duo of violating the Computer Fraud and Abuse Act by illegally accessing Facebook data. The two culprits are also facing charges of fraud and breach of contract for misrepresenting themselves as legitimate developers.
Private Data For Sale
Sluchevsky and Gorbachov's hacking scheme is likely connected to an incident last year, where 81,000 private Facebook messages were compromised and offered for sale.
Hackers had put up an advertisement claiming that they would allow access to the accounts for 10 cents a piece. However, the ad was later taken down.
Facebook denied having cybersecurity breach, though it did contact browser makers about potential threats.
"We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores," a Facebook spokesman said.
"We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts."
The BBC later confirmed that more than 81,000 of the Facebook accounts being offered by hackers indeed contained private messages.
Some 176,000 additional profiles were also made available, though these were said to be taken from accounts that had some personal information, such as phone numbers and e-mail address, open to the public.
The case against Sluchevsky and Gorbachov is different from the Cambridge Analytica scandal, where Facebook allegedly gave developers access to user information.