A federal lawsuit, filed by the tech giant Facebook, has revealed that two male hackers from Ukraine, used online quizzes to lure more than 60,000 Facebook users into installing malicious browser extensions that violated their privacy and leaked profile details as well as friends list to offshore servers.
In the period from 2016 to 2018 they compromised about 63 thousand browsers and Facebook have caused damage for the sum more than $75,000.
The BBC has contacted Web Sun Group for comment.
The Verge reported that the news follows Facebook's lawsuit against 4 Chinese companies selling fake accounts and user engagement. This extension then lifted data ranging from names and profile pictures to private lists of friends, photos, relationship status, and even email addresses and phone numbers. "Who is your yang?" and "What kind of dog are you according to your zodiac sign?" Last year, the BBC questioned whether Facebook had been proactive enough in addressing the malicious plugins.
The report comes as Facebook CEO Mark Zuckerberg has emphasised the importance of personal messaging apps.
Once users connected their Facebook and other social media accounts they were asked to install what Facebook described as "malicious browser extensions" that essentially allowed the alleged hackers to pose as the affected users online. That makes this case substantially different from the better-known Cambridge Analytica scandal, which hinged entirely on Facebook giving developers broad access to data.
The scheme seemingly wouldn't have worked, however, if Facebook hadn't approved the hackers as developers who could use its Facebook Login feature.
"Friday, Facebook filed a complaint against two developers based in the Ukraine for violations of our policies and other United States laws by operating malicious browser extensions created to scrape Facebook and other social networking sites".
The company has written that while installing the extension, AP users have reached an agreement with their own browser.
Facebook is accusing Sluchevsky and Gorbachov of violating the Computer Fraud and Abuse Act by accessing Facebook data without authorization, as well as fraud and breach of contract for misrepresenting themselves as legitimate Facebook developers. The defendant may not face serious consequences, but it will give Facebook the leverage to defend itself.