Facebook filed a lawsuit today in Portugal against two Portuguese nationals for developing browser extensions that scraped user data from Facebook sites.
“When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook — all without their knowledge,” Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation, said today.
“If the user visited the Facebook website, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account,” Romero said.
All extensions were developed by a software company named “Oink and Stuff,” specialized in creating Android apps and browser extensions for Chrome, Firefox, Opera, and Microsoft Edge.
While the company develops a wide array of browser extension, Facebook said it found data collection-related malicious behavior inside four extensions named Web for Instagram plus DM, Blue Messenger, Emoji keyboard, and Green Messenger, which Facebook said “functioned like spyware.”
All four extensions are still available on the official Chrome Web Store at the time of writing, and have more than 54,000 installs, combined.
Facebook is now asking a Portuguese judge to issue a permanent injunction against the Oink and Stuff team and force the company to delete all the Facebook user data they acquired through the four extensions.
A request for comment has been sent to Oink and Stuff but the company has not replied before this article’s publication due to timezone differences.
Today’s lawsuit marks Facebook’s latest lawsuit against rogue app and extension developers. Since early 2019, Facebook’s legal department has been filing lawsuits against several third-parties that have been abusing its platform, such as:
March 2019 – Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.
August 2019 – Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.
October 2019 – Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.
December 2019 – Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware.
February 2020 – Facebook sued OneAudience, an SDK maker that secretly collected data on Facebook users.
March 2020 – Facebook sued Namecheap, one of the biggest domain name registrars on the internet, to unmask hackers who registered malicious domains through its service.
April 2020 – Facebook sued LeadCloak for providing software to cloak deceptive ads related to COVID-19, pharmaceuticals, diet pills, and more.
June 2020 – Facebook sued to unmask and take over 12 domains containing Facebook brands and used to scam Facebook users.
June 2020 – Facebook sued MGP25 Cyberint Services, a company that operated an online website that sold Instagram likes and comments.
June 2020 – Facebook sued the owner of Massroot8.com, a website that stole Facebook users’ passwords.
August 2020 – Facebook sued MobiBurn, the maker of an advertising SDK accused of scraping user data.
August 2020 – Facebook sued the owner of Nakrutka, a website that sold Instagram likes, comments, and followers.
October 2020 – Facebook sued the maker of two Chrome extensions for scraping user data.
November 2020 – Facebook sued a Turkish national for operating a network of at least 20 Instagram clones.