Facebook sues a Ukrainian hacker for illegally stealing millions of user details from Messenger and selling them on the dark web

Facebook filed a data theft case Friday against a Ukrainian man accused of illegally crawling the personal data of more than 178 million users of Facebook's Messenger and selling it on dark web forums. The hacker abused Messenger's address book import feature to crawl user data over a 21-month period. The company is now seeking court authorization to ban the man from using the Facebook site and to pursue damages for the sale of the crawled data.

The defendant is a programmer from Kirovograd, Ukraine, named Alexander Alexandrovich Solonchenko. According to Facebook, Solonchenko used Facebook Messenger's address book import feature to illegally collect data. This feature syncs with a user's cell phone address book to make it easier to contact the user's saved numbers.

The data theft in question took place over a 21-month period, from January 2018 to September 2019, using an automated tool that simulated an Android environment and served millions of random phone numbers to Facebook's servers. The pingback of actual registration numbers for accounts associated on the website helped Solonchenko collect the data.

On Dec. 1, 2020, he placed the collected data on the RaidForums forum, a well-known cybercrime forum on the Dark Web for trading stolen data. According to the documents, Solonchenko sold the data of several companies on this forum under the name "Solomame" and later "barak_obama".

The social media giant discovered Solonchenko's online activities after using these same contacts on job portals and email accounts. Solonchenko worked as a freelance programmer and used the business name "DropTop" to sell shoes online in June 2019.

The contact import feature was removed in 2019, and in April 2021, 533 million Facebook users' phone numbers were leaked due to misuse of the same feature and sold on the same dark web hacking forum. However, Facebook said the data set was old at the time and the breach occurred two years ago, before the feature was pulled.