A pair of Ukrainian hackers used seemingly innocuous online quizzes and surveys, with titles like “What does your eye color say about you?,” to gain access to private Facebook user data and to target users with “unauthorized” advertisements, the social media company says.
The alleged hackers improperly used a Facebook feature that helped them take control of users’ internet browsers and gave them access to private information about Facebook users and their private friends’ lists, Facebook alleged in a lawsuit filed in Northern California on Friday.
Working out of Kiev, Ukraine, Andrey Gorbachov and Gleb Sluchevsky allegedly lured Facebook users to connect their accounts to a range of online quiz apps with names like, “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?”
Once users connected their Facebook and other social media accounts they were asked to install what Facebook described as “malicious browser extensions” that essentially allowed the alleged hackers to pose as the affected users online.
Facebook offers a range of services that allow users to use their Facebook accounts to login to other services, including dating and music apps.
The amount of information Facebook shares about their users with third-party apps like these has come under intense scrutiny over the past 12 months.
Last March, it emerged that a developer working on behalf of Cambridge Analytica, a controversial data firm that went on to work for Donald Trump’s 2016 presidential campaign, had collected data on tens of millions of American Facebook users without their explicit knowledge. The developer had used an online quiz app that connected to Facebook to gather the data.
The alleged Ukrainian operation largely targeted Russian and Ukrainian speakers, Facebook said. More than 60,000 internet browsers used by Facebook users had been compromised, it said.
“Friday, Facebook filed a complaint against two developers based in the Ukraine for violations of our policies and other US laws by operating malicious browser extensions designed to scrape Facebook and other social networking sites. By filing the complaint, we hope to reinforce that this kind of fraudulent activity is not tolerated on our services, and we will act forcefully to protect the integrity of our platform,” a company spokesperson said.
The alleged hackers accessed Facebook users’ information, including their name, age range, and profile picture, and also accessed their private list of Facebook friends. The defendants used access to users’ browsers to “inject unauthorized advertisements” when user’s visited Facebook and other social media sites, Facebook said.
Gorbachov and Sluchevsky worked for a company called the Web Sun Group. CNN reached out to the group but has not received comment.
The lawsuit accuses the pair of fraud and breach of contract and seeks monetary damages and a restraining order against the alleged hackers and their associates.
The operation was discovered in October 2018 and Facebook suspended the alleged hackers, who it said were operating under false names on the platform. The company also said it informed other companies, including the makers of internet browsers, that the defendants used for the alleged scam.
The Daily Beast was first to report the details of the public court filings on Friday.