Facebook Inc. and Facebook Ireland imposed legal action against two people in Portugal for violating Portugal’s Database Protection Law. The social media giant stated the culprits were scraping users’ personal information from their Facebook pages.
Malicious Extensions
Under the company name “Oinkn and Stuff,” the offenders specially designed browser extensions and made them available on the Chrome store. The malicious Chrome extensions, Web for Instagram plus DM, Blue Messenger, Emoji keyboard, and Green Messenger, contained hidden code that functions like spyware. The extensions were coded to scrape username, user ID, gender, relationship status, age group, and other personal data related to their social media accounts. The developers tricked users into installing the extensions with a privacy policy, claiming they did not collect users’ personal data.
“When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook — all without their knowledge. The defendants did not compromise Facebook’s security systems. Instead, they used the extensions on the users’ devices to collect information,” Facebook said.
“We are seeking a permanent injunction against defendants and demanding that they delete all Facebook data in their possession. This case is the result of our ongoing international efforts to detect and enforce against those who scrape Facebook users’ data, including those who use browser extensions to compromise people’s browsers,” Facebook added.
What is Data Scraping?
Data scraping is a process of extracting users’ personal data from websites. It is a common practice for third-party vendors, web developers, business intelligence analysts, and authentic businesses to scrape users’ data for market research purposes. Social media companies like Facebook allow users to access third-party websites by using their existing Facebook login information. However, this process can also allow unauthorized users/threat actors to perform malicious activities, including identity theft and financial fraud.
