Facebook | Breaking Cybersecurity News | The Hacker News

In what's likely to be a goldmine for bad actors, personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free—which was harvested by hackers in 2019 using a Facebook vulnerability. The  leaked data  includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status broken, account creation date, and other profile details broken down by country, with over 32 million records belonging to users in the U.S., 11 million users the U.K., and six million users in India, among others. Also included in the leak are  phone numbers  from Facebook CEO Mark Zuckerberg, and co-founders Chris Hughes, and Dustin Moskovitz, who are the fourth, fifth, and sixth members to have registered on Facebook. Interestingly, it appears that the same phone number is also registered to his name on the privacy-focussed messaging app Signal. "Mark Zuckerberg als

Facebook may be banned in China, but the company on Wednesday said it has disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices. "They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," Facebook's Head of Cyber Espionage Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher,  said . "This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance." The social media giant said the "well-resourced and persistent operation" aligned with a threat actor known as  Evil Eye  (or Earth Empusa), a China-based collective known for its history of espionage attacks against the Muslim m

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

In January 2019, a  critical flaw  was reported in Apple's FaceTime group chats feature that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call. The vulnerability was deemed so severe that the iPhone maker removed the FaceTime group chats feature altogether before the issue was resolved in a subsequent iOS update. Since then, a number of similar shortcomings have been discovered in multiple video chat apps such as Signal, JioChat, Mocha, Google Duo, and Facebook Messenger — all thanks to the work of Google Project Zero researcher Natalie Silvanovich. "While [the Group FaceTime] bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other sta

WhatsApp said on Friday that it wouldn't enforce its recently announced  controversial data sharing policy  update until May 15. Originally set to go into effect next month on February 8, the three-month delay comes following "a lot of misinformation" about a revision to its privacy policy that allows WhatsApp to share data with Facebook, sparking widespread concerns about the exact kind of information that will be shared under the incoming terms. The Facebook-owned company has since repeatedly clarified that the update does not expand its ability to share personal user chats or other profile information with Facebook and is instead simply providing further transparency about how user data is collected and shared when using the messaging app to interact with businesses. "The update includes new options people will have to message a business on WhatsApp, and provides further transparency about how we collect and use data," WhatsApp  said  in a post. "W

"Respect for your privacy is coded into our DNA," opens WhatsApp's  privacy policy . "Since we started WhatsApp, we've aspired to build our Services with a set of strong privacy principles in mind." But come February 8, 2021, this opening statement will no longer find a place in the policy. The Facebook-owned messaging service is alerting users in India of an update to its  terms of service  and  privacy policy  that's expected to go into effect next month. The "key updates" concern how it processes user data, "how businesses can use Facebook hosted services to store and manage their WhatsApp chats," and "how we partner with Facebook to offer integrations across the Facebook Company Products." The mandatory changes allow WhatsApp to  share  more user data with other Facebook companies, including account registration information, phone numbers, transaction data, service-related information, interactions on the platform,

Cybersecurity researchers from Facebook today formally linked the activities of a Vietnamese threat actor to an IT company in the country after the group was caught abusing its platform to hack into people's accounts and distribute malware. Tracked as  APT32  (or Bismuth, OceanLotus, and Cobalt Kitty), the state-aligned operatives affiliated with the Vietnam government have been known for orchestrating sophisticated  espionage campaigns  at least since 2012 with the goal of furthering the country's strategic interests. "Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso)," Facebook's Head of Security Policy, Nathaniel Gleicher, and Cyber Threat Intelligence Manager, Mike Dvilyanski,  said . Exact evidence trail leading Facebook to attribute the hacking activity to CyberOne Group was not disclosed, but according to a descripti

The US Federal Trade Commission and a coalition of 48 state attorneys general on Wednesday filed a pair of sweeping antitrust suits against Facebook, alleging that the company abused its power in the marketplace to neutralize competitors through its acquisitions of Instagram and WhatsApp and depriving users of better privacy-friendly alternatives. "Facebook has engaged in a systematic strategy — including its 2012 acquisition of up-and-coming rival Instagram, its 2014 acquisition of the mobile messaging app WhatsApp, and the imposition of anti-competitive conditions on software developers — to eliminate threats to its monopoly," the FTC  said  in its complaint. A  separate lawsuit  filed by New York Attorney General Letitia James also claimed that in illegally acquiring competitors in a predatory manner, the social media company stripped users of the benefits of competition, limited consumer choices, and their access to rivals with better privacy practices. Specifically,

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover . The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps. Facebook Discover is currently being tested in Peru in partnership with local telecom companies such as Bitel, Claro, Entel, and Movistar. Unlike the regular rich-content browsing, Facebook's latest connectivity project only provides low-bandwidth text-only based browsing, meaning other forms of data-intensive content such as audio and video are not supported. Another key differentiator is that it treats all websites equally, whereas users of Free Basics are limited to a handful of sites that are submitted by developers and meet technical criteria set by Facebook. The move, ultimately, drew criticism for violating principles of net neutrality ,

Facebook is one of the world's biggest advertising platforms, and that's because it knows a lot about you, me, and everyone. Facebook uses many tools to track people across the Internet, whether they have an account with the social networking site or not, and most of them rely on the online activity data other apps and websites share with Facebook. Everything we do online generates an extensive amount of behavioral data, from buying clothes to looking for hotels, which apps and websites often share with advertising companies, allowing them to build more accurate profiles of your interests and needs. However, after facing worldwide criticism over privacy and data breach controversies, Facebook last summer announced a privacy tool, called Off-Facebook Activity , which gives users more control of their data collected by Facebook. Starting today on Data Privacy Day 2020 , the Off-Facebook Activity feature is now available to every user around the world, which was initiall

Following its efforts to take legal action against those misusing its social media platform, Facebook has now filed a new lawsuit against a Hong Kong-based advertising company and two Chinese individuals for allegedly abusing its ad platform to distribute malware and Ad fraud. Facebook filed the lawsuit on Thursday in the Northern District of California against ILikeAd Media International Company Ltd. as well as a Chinese software developer and a marketing director working for the firm, Chen Xiao Cong and Huang Tao. All three defendants have been alleged to have deceived people into installing malware on their systems, enabling them to compromise user's Facebook accounts and then using those hacked accounts to advertise counterfeit goods and diet pills—which is clearly in violation of Facebook's Terms and Advertising Policies. "The suit seeks to hold accountable ILikeAd Media International Company Ltd. and Chen Xiao Cong and Huang Tao for creating the malware, tr

Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users' data associated with their connected social media accounts. In a blog post published yesterday, Twitter revealed that an SDK developed by OneAudience contains a privacy-violating component which may have passed some of its users' personal data to the OneAudience servers. Following Twitter's disclosure, Facebook today released a statement revealing that an SDK from another company, Mobiburn , is also under investigation for a similar malicious activity that might have exposed its users connected with certain Android apps to data collection firms. Both OneAudience and Mobiburn are data monetization services that pay developers to integrate their SDKs into the apps, which then collect users' behavioral data and then use it with advertisers for targeted marketing. In general, third-party software development k

The recent controversies surrounding the WhatsApp hacking haven't yet settled, and the world's most popular messaging platform could be in the choppy waters once again. The Hacker News has learned that last month WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them. The vulnerability — tracked as CVE-2019-11931 — is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks. To remotely exploit the vulnerability, all an attacker needs is the phone number of targeted users and send them a maliciously crafted MP4 file over WhatsApp, which eventually can be programmed to install a malicious backdoor or spyware app on the compromised devices silently. The vulnerability

It appears that Facebook at the center of yet another issue involving privacy. Reportedly, multiple iPhone users have come forward on social media complaining that the Facebook app secretly activates their smartphone's camera in the background while they scroll through their Facebook feeds or looking at the photos on the social network. As shown in the Twitter videos below, when users click on an image or video on the social media to full screen and then return it back to normal, an issue with the Facebook app for iOS slightly shifts the app to the right. It opens a space on the left from where users can see the iPhone's camera activated in the background. However, at this moment, it's not clear if it's just an UI bug where Facebook app incorrectly but only accesses the camera interface, or if it also records or uploads something, which, if proven right, would be the most disastrous moment in Facebook's history. Found a @facebook #security & #pri

Facebook today revealed yet another security incident admitting that roughly 100 app developers may have improperly accessed its users' data in certain Facebook groups, including their names and profile pictures. In a blog post published Tuesday, Facebook said the app developers that unauthorizedly access this information were primarily social media management and video streaming apps that let group admins manage their groups more effectively and help members share videos to the groups, respectively. For those unaware, Facebook made some changes to its Group API in April 2018, a month after the revelation of the Cambridge Analytica scandal , limiting apps integrated with a group to only access information, like the group's name, the number of members and the posts' content. To get access to additional information like names and profile pictures of members in connection with group activities, group members had to opt-in. However, it seems like Facebook once again fa

Finally, for the very first time, an encrypted messaging service provider is taking legal action against a private entity that has carried out malicious attacks against its users. Facebook filed a lawsuit against Israeli mobile surveillance firm NSO Group on Tuesday, alleging that the company was actively involved in hacking users of its end-to-end encrypted WhatsApp messaging service. Earlier this year, it was discovered that WhatsApp had a critical vulnerability that attackers were found exploiting in the wild to remotely install Pegasus spyware on targeted Android and iOS devices. The flaw (CVE-2019-3568) successfully allowed attackers to silently install the spyware app on targeted phones by merely placing a WhatsApp video call with specially crafted requests, even when the call was not answered. Developed by NSO Group, Pegasus allows access to an incredible amount of data from victims' smartphones remotely, including their text messages, emails, WhatsApp chats,

Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform. Last year, Facebook launched " Data Abuse Bounty " program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users' data and passing it off to malicious parties, violating Facebook's revamped data policies. Apparently, it turns out that most of the time, Facebook users' data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services. The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase. Because of this communication g