Facebook is suing a developer allegedly behind a data scraping campaign that took personal information, including login credentials, from about 5,500 people, according to court documents.
The social network announced on Thursday that it was filing a lawsuit against Mohammad Zaghar and his website, Massroot8, claiming that the service was grabbing Facebook users’ data without permission. The lawsuit filed in the northern district of California alleged that Zaghar’s website offered its customers the ability to scrape data from their Facebook friends — including their phone numbers, gender, date of birth and email addresses.
All of that data is posted publicly by those Facebook users, but the automation allegedly provided by Zaghar’s website would enable people to grab that data at a much faster pace and on a larger scale. Facebook also accused Zaghar of using a botnet to pretend to be Android devices using the social network to bypass its detections.
Zaghar did not respond to a request for comment.
Facebook said that the data scraping campaign had run from April 23 to May 6, with about 5,500 people signing up for the service. In addition to the data scraped from those 5,500 customers’ friends on Facebook, Massroot8 also required its clients to provide their login credentials, the lawsuit said.
“As a result, Zaghar’s customers self-compromised their Facebook account by relinquishing control of their username and password,” Facebook said in the lawsuit.
The company had sent multiple cease-and-desist orders to Zaghar, and also suspended his Facebook and Instagram accounts and required his customers to change their passwords for security purposes.
Facebook has increasingly turned to lawsuits to stop data abuses on its platform, suing app developers for fraud last August, and an analytics firm in February for allegedly harvesting people’s personal information. In tandem with the lawsuit filed against Zaghar, Facebook also filed a lawsuit in Spain against a service that provided fake likes and comments on Instagram.
“This is one of the first times a social media company is using coordinated, multi-jurisdictional litigation to enforce its Terms and protect its users,” Jessica Romero, Facebook’s director of platform enforcement and litigation, said in a blog post. “The defendants in the European lawsuit operated a Spain-based fake engagement service, and the defendant in the US lawsuit operated a data scraping service with ties to California.”
The social networking giant has policies against data scraping, sending cease-and-desist orders in the past to facial recognition company Clearview AI for grabbing public photos off the platform.
Scraped data from public posts on Facebook can be valuable to marketers and potential scammers. Last September, security researchers found a database of 220 million scraped phone numbers and Facebook IDs for sale for $1,000.
Facebook’s lawsuit claims that Zaghar violated the Computer Fraud and Abuse Act, arguing that he improperly accessed Facebook’s servers without authorization, and misused the estimated 5,500 customers’ login information.
The company is seeking $75,000 in damages in its lawsuit.