Account scraping is when someone uses software or API’s to collect user data from your website. This is illegal in many cases, but difficult to prove and fight against.
Usually, account scrapers are third parties who make money by selling the data they fetch from your site to advertisers. For instance, social media sites can access Facebook API’s in order to get data about which of their users are also on your site. Often you won’t even know that this happens. Data that has been passed through an API call once cannot be traced back if it gets sold multiple times afterwards.
The reason why account scraping is dangerous
The main issue with account scraping is that companies selling data don’t care where the data comes from and what they imply in its collection and distribution. This means your company could get blacklisted in an instant, by way of not following the guidelines set out for third parties handling user data, leading to a loss of brand reputation.
How to fight account scraping
Unfortunately, account scraping can be difficult to fight. If you suspect your website is being scraped by third parties, there are a few steps you should take:
- Report the account scraper to Google (and other platforms that allow it).
- Block all direct access to your API’s or website. This step might not always be possible for larger companies with an active user base.
- Make sure that no sensitive data can be retrieved via your API’s (no names, age etc.). Pass only publicly available information like user IDs and profile pictures.
Frequently asked questions about account scraping
Is account scraping illegal?
Account scraping itself is not illegal, but there are laws in place to prevent the sale of user data without explicit consent.
Do I need to give permission for my users to be scraped?
No. Make sure only publicly available information is passed through your API’s and you should be fine. This can be updated later on when you want to start sharing data with third parties.
How much damage can an account scraper do in the long term?
This depends on how quickly you’ll notice that somebody else has access to your website or API’s. If it takes weeks or months, then a lot of damage could already have been done by then.
If you notice the account scraper within minutes, weeks or months it will help you to take action against them.
What if the data is used for good?
This does not matter. If third parties (even benevolent ones) use your API’s, you might get in trouble with the law and open yourself up to brand damage. Once this happens you cannot tell who will use that data and how it will be used, making legal action tricky.
Is open banking safe?
Open banking is not inherently safe or dangerous – it depends on how you use it and who you open it up to.
What are the penalties for account scraping?
There are no clear cut penalties, but if you get notably large fines or an open court case it will be bad news for your brand.
Is it possible to detect account scrapers?
You can try to do this by looking at IP addresses or service providers. If you notice any red flags about the service providers, talk to the company they are working for directly – you might be able to solve it out of court.
What if my website is already scraped?
First, talk to service providers involved in the account scraping. Make sure they are aware of the problem and do not allow it anymore. It is also possible that you can take legal action against service providers.
Is account scraping inevitable?
What can I do to prevent account scraping?
Because web scraping is a form of web crawling, you should aim to make your website as difficult to crawl as possible. This might have an impact on user experience, however.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.