Facebook Sues Developer Over Alleged Data Scraping Abuse

facebook-logo-cybersecurityGraphic by Pixabay; illustration by CNET

Facebook is suing a developer it alleges was behind a data scraping campaign that took personal information, including login credentials, from thousands of people, according to court documents. 

The social network said Thursday that it’s filing a lawsuit against Mohammad Zaghar and his website, Massroot8, alleging that the service was grabbing Facebook users’ data without permission. The lawsuit, filed in the northern district of California, alleges that Zaghar’s website offered customers the ability to scrape data from Facebook friends, including phone numbers, gender, date of birth and email addresses. 

All that data is posted publicly by those Facebook users, but the automation allegedly provided by Zaghar’s website would enable people to grab the info at a much faster pace and on a larger scale. Facebook is also accusing Zaghar of using a botnet to bypass Facebook’s detections by pretending to be Android devices using the social network. 

Zaghar didn’t respond to a request for comment. 

Facebook said the data scraping campaign ran from April 23 to May 6, with about 5,500 people signing up for the service. In addition to the data scraped from those 5,500 customers’ friends on Facebook, Massroot8 also required its clients to provide their login credentials, the lawsuit said. 

“As a result, Zaghar’s customers self-compromised their Facebook account by relinquishing control of their username and password,” Facebook said in the lawsuit. 

The company said it sent multiple cease-and-desist orders to Zaghar, and also suspended his Facebook and Instagram accounts and required his customers to change their passwords for security purposes. 

Facebook has increasingly turned to lawsuits to stop data abuses on its platform, suing app developers for alleged fraud last August, and an analytics firm in February for allegedly harvesting people’s personal information. In tandem with the lawsuit filed against Zaghar, Facebook also filed a lawsuit in Spain against a service that provided fake likes and comments on Instagram.

“This is one of the first times a social media company is using coordinated, multi-jurisdictional litigation to enforce its Terms and protect its users,” Jessica Romero, Facebook’s director of platform enforcement and litigation, said in a blog post. “The defendants in the European lawsuit operated a Spain-based fake engagement service, and the defendant in the US lawsuit operated a data scraping service with ties to California.”   

The social networking giant has policies against data scraping, sending cease-and-desist orders in the past to facial recognition company Clearview AI for grabbing public photos off the platform

Scraped data from public posts on Facebook can be valuable to marketers and potential scammers. Last September, security researchers found a database of 220 million scraped phone numbers and Facebook IDs for sale for $1,000. 

Facebook’s lawsuit alleges that Zaghar violated the Computer Fraud and Abuse Act, arguing that he improperly accessed Facebook’s servers without authorization, and misused the estimated 5,500 customers’ login information. 

The company is seeking $75,000 in damages in its lawsuit. 

READ MORE HERE