Privacy | Breaking Cybersecurity News | The Hacker News

Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S. In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months. Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order. "The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair,  said  in a statement. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizati

Apple has announced that it prevented over $2 billion in potentially fraudulent transactions and rejected roughly 1.7 million app submissions for privacy and security violations in 2022. The computing giant said it terminated 428,000 developer accounts for potential fraudulent activity, blocked 105,000 fake developer account creations, and deactivated 282 million bogus customer accounts. It further noted that it thwarted 198 million attempted fraudulent new accounts prior to their creation. In contrast, Apple is estimated to have booted out 802,000 developer accounts in 2021. The company attributed the decline to new App Store "methods and protocols" that prevent the creation of such accounts in the first place. "In 2022, Apple protected users from nearly 57,000 untrustworthy apps from illegitimate storefronts," the company  emphasized . "These unauthorized marketplaces distribute harmful software that can imitate popular apps or alter them without the cons

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

OpenAI, the company behind ChatGPT, has officially made a return to Italy after the company met the  data protection authority's demands  ahead of April 30, 2023, deadline. The development was  first reported  by the Associated Press. OpenAI's CEO, Sam Altman,  tweeted , "we're excited ChatGPT is available in [Italy] again!" The reinstatement comes following Garante's decision to  temporarily block  access to the popular AI chatbot service in Italy on March 31, 2023, over concerns that its practices are in violation of data protection laws in the region. Generative AI systems like ChatGPT and Google Bard primarily rely on huge amounts of information freely available on the internet as well as the data its users provide over the course of their interactions. OpenAI, which published a  new FAQ , said it filters and removes information such as hate speech, adult content, sites that primarily aggregate personal information, and spam. It also emphasized that

Open source media player software provider Kodi has confirmed a data breach after threat actors stole the company's MyBB forum database containing user data and private messages. What's more, the unknown threat actors  attempted to sell  the data dump  comprising 400,635 Kodi users  on the now-defunct  BreachForums  cybercrime marketplace. "MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February," Kodi  said  in an advisory. The threat actors then abused the account to create database backups that were then downloaded and deleted. Also downloaded were existing nightly full backups of the database. The account in question has now been disabled. The nightly backups contained all public forum posts, team forum posts, messages sent through the user-to-user messaging system, and user information such as forum username, email a

Google is enacting a new data deletion policy for Android apps that allow account creation to also offer users with a setting to delete their accounts in an attempt to provide more transparency and control over their data. "For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online," Bethel Otuteye, senior director of product management for Android App Safety,  said . "This web requirement, which you will link in your  Data safety form , is especially important so that a user can request account and data deletion without having to reinstall an app." The goal, the search behemoth said, is to have a "readily discoverable option" to initiate an app account deletion process from both within an app and outside of it. To that end, developers are to provide users with an in-app path as well as a web link resource to request app account deletion and associated

Microsoft on Tuesday  unveiled   Security Copilot  in limited preview, marking its continued quest to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale." Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a  security analysis tool  that enables cybersecurity analysts to quickly respond to threats, process signals, and assess risk exposure. To that end, it collates insights and data from various products like Microsoft Sentinel, Defender, and Intune to help security teams better understand their environment; determine if they are susceptible to known vulnerabilities and exploits; identify ongoing attacks, their scale, and receive remediation instructions; and summarize incidents. Users, for instance, can ask Security Copilot about suspicious user logins over a specific time period, or even employ it to create a PowerPoint presentation outlining an incident and its attack chain.

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The  issue , dubbed  aCropalypse , could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out. Tracked as  CVE-2023-28303 , the vulnerability is rated 3.3 on the CVSS scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11. "The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker's control," Microsoft  said  in an advisory released on March 24, 2023. Successful exploitation requires that the following two prerequisites are met - The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location. The user must open

An older version of Shein's  Android application  suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it  discovered  the problem in  version 7.9.2  of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The tech giant  said  it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app. It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service[.]shein[.]com." To mitigate such privacy risks, Goo

A group of researchers has revealed what it says is a vulnerability in a specific implementation of  CRYSTALS-Kyber , one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year. The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology  said  in a paper. CRYSTALS-Kyber is one of four post-quantum algorithms  selected  by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify a set of next-generation encryption standards that can withstand huge leaps in computing power. A side-channel attack, as the name implies, involves extracting secrets from a cryptosystem through measurement and analysis of physical parameters. Some examples of such parameters include supply current, execution time, and electromagnetic emission. The underlyi

Google announced on Tuesday that it's officially rolling out  Privacy Sandbox on Android  in beta to eligible mobile devices running Android 13. "The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant  said . "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness." Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the  Topics API  to serve relevant ads. The initial  Topics taxonomy  is set to include somewhere between a few hundred and a few thousand topics,  according to Google , and will be human-curated to exclude sensitive topics. The Beta test is expected to start off with

A joint law enforcement operation conducted by Germany, the Netherlands, and Poland has cracked yet another encrypted messaging application named  Exclu  used by organized crime groups. Eurojust, in a press statement,  said  the February 3 exercise resulted in the arrests of 45 individuals across Belgium and the Netherlands, some of whom include users as well as the administrators and owners of the service, Authorities also launched raids in 79 locations, leading to the seizure of €5.5 million in cash, 300,000 ecstasy tablets, 20 firearms, and 200 phones. Two drug laboratories have further been shut down. Investigation into Exlcu is said to have commenced in Germany as far back as June 2020. The application, prior to its takedown, had an estimated 3,000 users, of which 750 are Dutch speakers. The Politie, in an announcement of its own, noted that it was able to gain covert access to the service, permitting the agency to read messages sent by its users for the past five months. &

Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption ( E2EE ) in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption," Meta's Melissa Miranda  said . The social media behemoth said it intends to notify users in select individual chat threads as the security feature is enabled, while emphasizing that the process of choosing and upgrading the conversations to support E2EE is random. "It's designed to be random so that there isn't a negative impact on our infrastructure and people's chat experience," Miranda further explained. Along with flipping the switch on E2EE, Meta has also added more features into its encrypted chat experience, including support for themes, custom emojis and reactions, group profile photos, link previews, and active status. T

The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information. At the heart of the ruling is an update to the messaging platform's Terms of Service that was imposed in the days leading to the enforcement of the General Data Protection Regulation ( GDPR ) in May 2018, requiring that users agree to the revised terms in order to continue using the service or risk losing access. The complaint, filed by privacy non-profit NOYB, alleged that WhatsApp breached the regulation by compelling its users to "consent to the processing of their personal data for service improvement and security" by "making the accessibility of its services conditional on users accepting the updated Terms of Service." "WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security," th

Popular short-form video hosting service TikTok has been fined €5 million (about $5.4 million) by the French data protection watchdog for breaking cookie consent rules, making it the latest platform to face similar penalties after  Amazon, Google, Meta , and  Microsoft  since 2020. "Users of 'tiktok[.]com' could not refuse cookies as easily as accepting them and they were not informed in a sufficiently precise way of the objectives of the different cookies," the Commission nationale de l'informatique et des libertés (CNIL)  said  in a statement. The regulator said it conducted several audits between May 2020 and June 2022, finding that the ByteDance-owned company did not offer a straightforward option to refuse all cookies as opposed to just one click for accepting them. The option to "refuse all" cookies was introduced by TikTok in February 2022. "Making the opt-out mechanism more complex is in fact discouraging users from refusing cookies and

The Irish Data Protection Commission (DPC) has  fined  Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model. To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection Regulation ( GDPR ) related to Facebook, and a €180 million ($191 million) for similar violations in Instagram. The latest enforcement comes in the wake of concerns that the social media company used its Terms of Service to gain users' forced consent to allow targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the date when GDPR came into effect in the region. It also arrives a month after the European Data Protection Board (EDPB), an independent body that oversees the consistent application of GDPR in the E.U.,  announced  that it had reached 

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt Kunze,  disclosed  in a technical write-up published this week. In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021. The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google us

The developers behind the Brave open-source web browser have revealed a new privacy-preserving data querying and retrieval system called  FrodoPIR . The idea, the company  said , is to use the technology to build out a wide range of use cases such as safe browsing, scanning passwords against breached databases, certificate revocation checks, and streaming, among others. The scheme is called  FrodoPIR  because "the client can perform hidden queries to the server, just as Frodo remained hidden from Sauron," a reference to the characters from J. R. R. Tolkien's  The Lord of the Rings . PIR, short for  private information retrieval , is a cryptographic protocol that enables users (aka clients) to retrieve a piece of information from a database server without revealing to its owner which element was selected. In other words, the goal is to be able to query a platform for information (say, cooking videos) without letting the service provider infer from a user's search

France's privacy watchdog has imposed a €60 million ($63.88 million) fine against Microsoft's Ireland subsidiary for dropping advertising cookies in users' computers without their explicit consent in violation of data protection laws in the European Union. The Commission nationale de l'informatique et des libertés (CNIL)  noted  that users visiting the home page of its Bing search engine did not have a "mechanism to refuse cookies as easily as accepting them." The authority, which carried out an online audit between September 2020 and May 2021 following a complaint it received in February 2020,  stated  the tech giant deposited cookies with an aim to serve ads and fight advertising fraud without getting a user's permission beforehand, as is required by law. Along with the fines, Microsoft has also been ordered to alter its cookie practices within three months, or risk facing an additional penalty of €60,000 per day of non-compliance following the end

Epic Games has reached a $520 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that the  Fortnite  creator violated online privacy laws for children and tricked users into making unintended purchases in the video game. To that end, the company will pay a record $275 million monetary penalty for breaching the Children's Online Privacy Protection Act ( COPPA ) by collecting the personal information of Fortnite players under the age of 13 without seeking permission from their parents. It will also pay $245 million to reimburse customers who were deceived by its  dark pattern  tricks to make accidental purchases as well as for allowing children to rack up unauthorized charges through in-game content purchases without requiring any parental or card holder action or consent. "Epic Games possessed actual knowledge that it collected personal information from children, including their names, email addresses, and identifiers used to keep track of pla

Protecting customer data is critical for any business accepting online payment information. The Payment Card Industry Data Security Standard (PCI DSS), created by leading credit card companies, establishes best practices for protecting consumers' information. By adhering to these standards, businesses can ensure that their customer's personal and financial information is secure.  The PCI DSS security standards apply to any business that processes, stores, or transmits credit card information. Failure to comply with the PCI DSS can result in costly fines and penalties from credit card companies. It can also lead to a loss of customer trust, which can be devastating for any business. PCI DSS 4.0 was released in March 2022 and will replace the current PCI DSS 3.2.1 standard in March 2025. That provides a three-year transition period for organizations to be compliant with 4.0. The latest version of the standard will bring a new focus to an overlooked yet critically important ar