According to the report, Solonchenko exploited Facebook Messenger’s contact import feature, which the company shut down in September 2019, to scrap personal data for users. This feature allowed users to sync their contact lists to find out which contacts have a Facebook account so they could reach out to them on Messenger. Solonchenko abused this ability to feed Facebook servers with millions of random phone numbers. He reportedly used an automated tool that could mimic Android devices to carry out this attack. Whenever Facebook returned info on accounts with the phone numbers the attacker fed to its servers, he collected that information. This data heist reportedly took place over 21 months, from January 2018 through September 2019, i.e. until the importer feature was available. Solonchenko sold the data on a darknet forum in December last year, namely RaidForums. He was identified as Solomame (username later changed to barak_obama) on the forum. Facebook could track down Solonchenko after he used the same username and contact methods on job portals and email. The Ukrainian had reportedly also scraped and sold data from other big companies and organizations. These include “Ukraine’s largest commercial bank, Ukraine’s largest private delivery service, and a French data analytics company.” Following these findings, Facebook filed a lawsuit against Solonchenko with the Federal District Court for the Northern District of California. The company has asked a judge to ban the Ukrainian from accessing its sites as well as prevent him from selling the scrapped data. The social network is also seeking undefined damages.

Facebook Messenger contact import feature abused again

This isn’t the first time we have seen someone abuse Facebook Messenger’s contact import feature to scrap data for users. In April this year, it was reported that attackers exploited the same feature to leak data of 533 million people. The company has now retired the feature but it allowed for at least two large-scale data theft. Facebook doesn’t have a very good reputation for protecting user privacy and these types of incidents aren’t helping its cause. The company is now seemingly looking to hide under a new name as it dreams of building a metaverse. It will be interesting to see how these plans develop in the future.