- Facebook sues lexander Solonchenko, a programmer from Kirovograd, Ukraine.
- Facebook says Solonchenko scraped its servers from January 2018 to September 2019 by abusing a Facebook Messenger feature.
- The stolen information, for 178 million Facebook users, was later sold on a hacking forum.
Facebook has filed a lawsuit on Friday against a Ukrainian national for allegedly scraping its website and selling the personal data of more than 178 million users on an underground cybercrime forum.
According to court documents filed today, the man was identified as Alexander Alexandrovich Solonchenko, a resident of Kirovograd, Ukraine.
Facebook alleges that Solonchenko abused a feature part of the Facebook Messenger service called Contact Importer.
The feature allowed users to synchronize their phone address books and see which contacts had a Facebook account in order to allow users to reach out to their friends via Facebook Messenger.
Scraping took place over 21 months
Between January 2018 and September 2019, Facebook said that Solonchenko used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers.
As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later collected and offered for sale on December 1, 2020, in a post on RaidForums, a notorious cybercrime forum and marketplace for stolen data.
Facebook said Solonchenko was a prodigious user on the forum, where he operated using the username of Solomame (later renamed to barak_obama), and had sold the data of hundreds of millions of users from multiple companies.
“Since 2020, Solonchenko has sold stolen or scraped data from Ukraine’s largest commercial bank, Ukraine’s largest private delivery service,
and a French data analytics company,” Facebook said in court documents today.
OpSec mistakes tied Solonchenko to Solomame persona
The social network said it was able to link Solonchenko to the RaidForums user after the defendant used the same username and contact methods on job portals and for email accounts.
“Solonchenko worked as a freelance computer programmer with experience working with several programming languages including Python, PHP, and Xrumer, which is a software used for spamming; automating tasks on Android emulators; and conducting affiliate marketing,” Facebook said.
“Until in or around June 2019, Solonchenko also sold shoes online under the business name ‘Drop Top’,” Facebook added.
The social network is now asking a judge to issue injunctions that would forbid Solonchenko from accessing Facebook sites and from selling any more of Facebook’s scraped data. The social network is also seeking unspecified damages.
Facebook retired Contact Importer feature in September 2019
The Solonchenko incident marks the second Facebook data scrape that was collected using the Messenger Contact Importer feature and then shared via RaidForums.
In April 2021, another threat actor leaked the phone numbers of 533 million Facebook users, which Facebook also said was collected by abusing the same feature.
Days after this incident, Facebook revealed that it retired the Messenger Contact Importer feature back in September 2019 after it discovered Solonchenko and other threat actors abusing it.
Source: Recorded Future