Facebook sues scraper who sold 178 million phone numbers and user IDs

Apparently The Social NetworkTM is the only one allowed to do nasty things with users' data

Facebook has sued a Ukrainian national for allegedly harvesting and selling personal data describing 178 million of the Social NetworkTM's users – actions it says violates the service's terms of service.

The suit alleges that Alexander Alexandrovich Solonchenko created millions of virtual Android devices, each with a different phone number, and used them to deliver automated requests to Facebook systems using the Messenger app.

Over 21 months between January 2018 and September 2019, Solonchenko purportedly took advantage of Facebook Messenger's now-defunct Contact Importer feature. The feature allowed users to synchronize their phone address books and see which contacts had an account with The Social NetworkTM, presumably so they could contact them on Messenger rather than through other means.

But Solonchenko didn't really want to chat with 178 million people. Rather – according to court documents [PDF], he performed phone number enumeration scraping and pulled together a database of the publicly accessible user IDs and phone numbers. He then – again allegedly – put them up for sale in early December 2020 on RaidForums.com, a marketplace for questionably obtained data, under the usernames "Solomame" and "Barak_Obama".

"I collected this database [of Facebook user IDs and phone numbers] during 2018y (sic), it's unique and nobody sales exact that leak (sic), I collected it by myself scanning [Facebook] day-by-day during a year (sic)," wrote Solonchenko on the nefarious website, according to Facebook's complaint.

He allegedly sold other data there too – including from a Ukrainian bank, a Ukrainian private delivery service and a French data analytics company. In May 2021, Solonchenko found a buyer for his Facebook trove.

Facebook maintains that since the defendant had at least two Facebook accounts, two Facebook apps, and a Facebook page (not to mention five Instagram accounts), he thereby had agreed at some point to the Terms of Service. These terms prohibit misleading or fraudulent activity, collecting data from Facebook products through automated means, and selling or making platform data available without written consent.

In addition to scraping and selling data, Solonchenko's other career accomplishments include working as a freelance computer programmer. He's skilled in Python, PHP, and Xrumer – software used for spamming. Facebook's complaint indicates the Ukrainian is also handy with an Android emulator, has affiliate marketing skills, and has even served a stint as an online shoe salesman.

According to the complaint, the scraping run used repeating or thematic user names, phone numbers and emails, leaving breadcrumbs to link the same actor to various efforts, both legal and less so.

Facebook said it took measures to detect and disrupt unauthorized automated requests on its systems and limit phone number enumeration scraping. It also shut down the Contact Importer in September 2019 when a threat actor – who was not Solonchenko – used it to leak 533 million Facebook user phone numbers


The House That Zuck Built is asking a judge to forbid Solonchenko accessing Facebook sites or selling the data, in addition to unspecified damages. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021