SAN JOSE, CA — Facebook, the second most popular social-networking site, behind MySpace, has sued the parent company of adult affiliate program SlickCash and 17 individuals over allegations they attempted to hack Facebook’s servers and harvest users’ personal information.The lawsuit, amended earlier this month in the U.S. District Court in San Jose, CA, now names Toronto-based SlickCash parent Istra Holdings and Istra employees Brian Fabian, Josh Raskin, and Ming Wu as the entities that tried to access Facebook’s servers more than 200,000 times during a two-week period in June, allegedly in search of proprietary data. As originally filed, the suit sought the identities of unknown parties, which it obtained from hosting and internet service providers Rogers Communications and Look Communications with the help of a court order. Only 14 of the 17 “John Does” in the original suit remain unidentified.
Court records indicate Facebook became suspicious about server activity when it detected a large number of error messages had been generated in response to repeated, automated requests for information from its servers within a brief period of time.
“Each of these requests sought to direct Facebook’s computers to send information on other Facebook users back to [the defendants’ internet] address,” the complaint states.
The company has not confirmed whether any user data was compromised during the attacks, but according to court documents, the defendants made “unauthorized attempts to access and harvest proprietary information” and “knowingly and without permission took, copied, or made use of data from Facebook’s proprietary computers and computer network.”
The lawsuit asks for a jury trial during which Facebook will demonstrate to what extent its losses exceed the $5,000 it claims to have expended investigating the incidents. In addition, the company seeks an injunction barring the defendants from attempting to access its servers in the future.
Istra representatives were not available to comment before press time.
According to CIO Today, it’s not clear whether Istra violated any laws. Andrew Storms, director of security operations for nCircle Network Security, commented to the publication, “Did the porn site break the information security barriers of Facebook, or did they just act like a normal user but in a quicker, automated fashion? If Istra Holdings had broken the law, then why aren’t police authorities knocking down doors instead of Facebook filing a lawsuit?”
For privacy watchdogs, the case raises alarm about the concentration of personal information in the hands of relatively few social-networking sites. Facebook alone claims more than 55 million members worldwide; for each user, it stores information including name, date of birth, email addresses, religious and political affiliations, shopping habits and other private data. A recent study by the Information Commissioner’s Office, which in the U.K. is responsible for policing data-protection laws, found 60-percent of social-network users posted their date of birth, 26-percent posted their job title and almost 10-percent listed their home address and/or telephone number. Although a recent survey by the Pew Internet & American Life Project found most U.S. adult are relatively unconcerned about the vulnerability of their personal information online, the potential for abuse of sensitive data by hackers, spammers and other criminals is enormous, Storms said.
“I’d put money on a bet that this automated data capturing happens more often than is reported,” he told CIO Today. “Users should always think twice about what data they choose to share with any website. Be aware that while you may believe you maintain control of that data, the fact is you really don’t. You as an individual need to understand the risk-reward equation and decide for yourself if the information you choose to share is worth the potential reward in light of the risk taken.”
