Skip to main content

Facebook sues Ukrainian quiz-makers for stealing user data with malware plugins

Facebook sues Ukrainian quiz-makers for stealing user data with malware plugins

Share this story

Illustration by James Bareham / The Verge

Facebook has sued two Ukrainian men for allegedly using quiz apps to scrape Facebook users’ private data and inject advertisements into their News Feeds. The lawsuit, filed Friday, accuses Gleb Sluchevsky and Andrey Gorbachov of running a years-long hacking scheme.

Between 2017 and 2018, they enticed users to install malicious browser plugins promising horoscopes or “character and popularity” tests, apparently infecting around 63,000 Facebook users’ browsers. Sluchevsky and Gorbachov allegedly operated four web apps including “Supertest” and “FQuiz,” mostly targeting Russian and Ukrainian users. According to court filings, the apps offered personality quizzes like “Who are you of modern vampires?” (illustrated by a poster for Twilight) and “Who is yours [sic] doppelganger from the past?” (illustrated by pictures of Stalin and Lenin), as well as tests like “Do you have royal blood?”

Facebook personality quiz malware

The web apps used Facebook’s login feature, promising to collect only limited information. However, they would then direct users to install web browser extensions that gave the hackers access to users’ Facebook (and other social media) accounts.

The complaint says these hackers scraped public profile information and non-publicly viewable lists of friends, in addition to serving their own ads instead of official Facebook-approved ones. Based on context, however, they might also be tied to the sale of 81,000 users’ private messages last year.

Facebook says it suffered “irreparable reputational harm” from the breach

Facebook notes that it publicly announced the compromise around October 31st, which roughly matches the date of a BBC report revealing the private message breach, quoting Facebook blaming malicious browser extensions. Those hackers claimed to have information from 120 million Facebook accounts, but cybersecurity experts were dubious; if Facebook’s 63,000-browser estimate is accurate, it suggests that this skepticism was warranted.

The complaint also says Sluchevsky and Gorbachov “caused Facebook to suffer irreparable reputational harm,” which would tally with the scandal those private message sales caused — despite Facebook saying they weren’t its fault. Last year, the BBC questioned whether Facebook had been proactive enough in addressing the malicious plugins. Facebook didn’t immediately reply to questions about whether Sluchevsky and Gorbachov were linked with the private message leak.

In this complaint, Facebook alleges that users “effectively compromised their own browsers” by installing extensions. That makes this case substantially different from the better-known Cambridge Analytica scandal, which hinged entirely on Facebook giving developers broad access to data. The complaint suggests that Facebook wasn’t the only social network compromised, though it doesn’t name the others.

Facebook personality quiz malware

The scheme seemingly wouldn’t have worked, however, if Facebook hadn’t approved the hackers as developers who could use its Facebook Login feature. According to the lawsuit, the hackers registered accounts between 2016 and 2018 under pseudonyms like “Elena Stelmah” and “Amanda Pitt.” Facebook discovered their scheme “through an investigation of malicious extensions,” and it suspended all the accounts around October 12th 2018, then contacted browser makers to make sure the applications were removed.

Facebook is accusing Sluchevsky and Gorbachov of violating the Computer Fraud and Abuse Act by accessing Facebook data without authorization, as well as fraud and breach of contract for misrepresenting themselves as legitimate Facebook developers. “Facebook reasonably relied on Defendants’ misrepresentations to permit Defendants to access to and use of Facebook’s platform,” it says. Facebook allegedly spent more than $75,000 investigating the breach, which “interfered with and undermined Facebook’s relationship with its users.”

Facebook filed a similar lawsuit last week, suing four Chinese companies that allegedly sold fake Facebook accounts and user engagement. In both cases, the defendants are overseas and seem unlikely to suffer serious consequences. But the suits give Facebook a chance to defend itself against charges of being lax with privacy and security, explaining how users have been victimized by hackers — not the platform itself.

Facebook v. Sluchevsky and Gorbachov by Adi Robertson on Scribd