Facebook Sues Ukrainian Quiz-makers for Stealing User Data with Malware Plugins

Facebook has sued two Ukrainian men for allegedly using quiz apps to scrape Facebook users’ private data and inject advertisements into their News Feeds. The lawsuit, filed Friday, accuses Gleb Sluchevsky and Andrey Gorbachov of running a years-long hacking scheme.

Between 2017 and 2018, they enticed users to install malicious browser plugins promising horoscopes or “character and popularity” tests, apparently infecting around 63,000 Facebook users’ browsers. Sluchevsky and Gorbachov allegedly operated four web apps including “Supertest” and “FQuiz,” mostly targeting Russian and Ukrainian users. According to court filings, the apps offered personality quizzes like “Who are you of modern vampires?” (illustrated by a poster for Twilight) and “Who is yours doppelganger from the past?” (illustrated by pictures of Stalin and Lenin), as well as tests like “Do you have royal blood?”

Facebook Sued UA

The web apps used Facebook’s login feature, promising to collect only limited information. However, they would then direct users to install web browser extensions that gave the hackers access to users’ Facebook (and other social media) accounts.

The complaint says these hackers scraped public profile information and non-publicly viewable lists of friends, in addition to serving their own ads instead of official Facebook-approved ones. Based on context, however, they might also be tied to the sale of 81,000 users’ private messages last year.

Facebook notes that it publicly announced the compromise around October 31st, which roughly matches the date of a BBC report revealing the private message breach, quoting Facebook blaming malicious browser extensions. Those hackers claimed to have information from 120 million Facebook accounts, but cybersecurity experts were dubious; if Facebook’s 63,000-browser estimate is accurate, it suggests that this skepticism was warranted.

The complaint also says Sluchevsky and Gorbachov “caused Facebook to suffer irreparable reputational harm,” which would tally with the scandal those private message sales caused — despite Facebook saying they weren’t its fault. Last year, the BBC questioned whether Facebook had been proactive enough in addressing the malicious plugins. Facebook didn’t immediately reply to questions about whether Sluchevsky and Gorbachov were linked with the private message leak.

In this complaint, Facebook alleges that users “effectively compromised their own browsers” by installing extensions. That makes this case substantially different from the better-known Cambridge Analytica scandal, which hinged entirely on Facebook giving developers broad access to data. The complaint suggests that Facebook wasn’t the only social network compromised, though it doesn’t name the others.