Privacy | Breaking Cybersecurity News | The Hacker News

Ireland's Data Protection Commission (DPC) has  levied fines  of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a "collated dataset of Facebook personal data that had been made available on the internet." This included the  personal information  associated with 533 million users of the social media platform, such as their phone numbers, dates of birth, locations, email addresses, gender, marital status, account creation date, and other profile details. Meta acknowledged that the information was "old data" that was obtained by malicious actors by taking advantage of a technique called "phone number enumeration" to  scrape users' public profiles . This entailed misusing a t

Internet giant Google has agreed to pay a record $391.5 million to settle with 40 states in the U.S. over charges the company misled users about the collection of personal location data. "Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information," Oregon Attorney General Ellen Rosenblum  said  Monday. "For years Google has prioritized profit over their users' privacy. They have been crafty and deceptive," Rosenblum stated. The investigation was sparked by a  2018 report  from the Associated Press that revealed Google was continuing to track users' locations on Android and iOS even when they turned off "location history" in their account settings, effectively undermining the privacy controls. Rosenblum said the location data gathered by Google is combined with other personal and behavioral information it collects to flesh out deta

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

Facebook appears to have silently rolled out a tool that allows users to remove their contact information, such as phone numbers and email addresses, uploaded by others. The existence of the  tool , which is buried inside a  Help Center page  about " Friending ," was first reported by  Business Insider  last week. It's offered as a way for "Non-users" to "exercise their rights under applicable laws." An Internet Archive search via the Wayback Machine  shows  that the option has been available since at least May 29, 2022. When users  sync the contact lists  on their devices with Facebook (or any other service), it's worth pointing out the  privacy violation , which stems from the fact that those contacts didn't explicitly consent to the upload. "Someone may have uploaded their address book to Facebook, Messenger, or Instagram with your contact information in it," Facebook notes in the page. "You can ask us to confirm whether

Wearable technology company Fitbit has announced a new clause that requires users to switch to a Google account "sometime" in 2023. "In 2023, we plan to launch Google accounts on Fitbit, which will enable use of Fitbit with a Google account," the Google-owned fitness devices maker  said . The switch will not go live for all users in 2023. Rather, support for Fitbit accounts is expected to continue until at least the beginning of 2025, after which a Google account will be mandatory for using the devices. The deeper integration also means that a Google account will be compulsory to sign up for Fitbit and activate new features, including those that incorporate Google products and services such as Google Assistant. Also necessitated as part of the transition is the consent from the part of users to move their personal data from Fitbit to Google. The internet giant  stressed that  users' personal information will not be used to serve ads. The goal, Fitbit said

Akasa Air, India's newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error. According to security researcher Ashutosh Barot , the issue is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers. The bug was identified on August 7, 2022, the same day the low-cost airline commenced its operations in the country. "I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format," Barot  said  in a write-up. "I immediately changed some parameters in [the] request and I was able to see other user's PII. It took around ~30 minutes to find this issue." Upon receiving the report, the company  said  it temporarily shut down parts of its system to incorporate additional security guardrails. It has also reported the incident to the Indian Computer Emergency Response Team (

The U.S. Federal Trade Commission (FTC) on Monday said it filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data gathered from consumers' mobile devices. The complaint alleges that the U.S. company  amasses  a "wealth of information" about users by purchasing data from other data brokers to sell to its own clients. "Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations," the FTC  said . "Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices." The Idaho-based company advertises itself as a "real-time data solutions company" and the "largest independent data marketplace for connected devices." It also claims its  Kochava Collective  data marketplace provides "premium data feeds, audience targeting, a

Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user's device to access sensitive information and camera recordings. The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx  explained  it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app. The app can then be used to get hold of the user's Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device's hardware ID, which is also encoded in the token, to the endpoint "ring[.]com/mobile/authorize." Armed with th

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. "As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company  said  in an advisory. Twitter said the bug, which it was  made aware  of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident. The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on  Breach Forums . Although Twitter didn't reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was pr

Google on Wednesday said it's once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. "The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox,  said . In keeping this in mind, the internet and ad tech giant said it's taking a "deliberate approach" and  extending the testing window  for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies. Cookies are pieces of data planted on a user's computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads. Privacy Sandbox is Google's umbrella term for a set of technologies

A group of academics from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat  anonymity protections  and identify a unique website visitor. "An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers  said . "The attacker knows this target only through a public identifier, such as an email address or a Twitter handle." The cache-based targeted  de-anonymization attack  is a  cross-site leak  that involves the adversary leveraging a service such as Google Drive, Dropbox, or YouTube to privately share a resource (e.g., image, video, or a YouTube playlist) with the target, followed by embedding the shared resource into the attack website. This can be achieved by, say, privately sharing the resource with the target using the victim's email address or the appropriate username associated with the serv

The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies' illegal use and sharing of highly sensitive data and false claims about data anonymization. "While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor," FTC's Kristin Cohen  said . The sensitive nature of information about users' health and their precise whereabouts has prompted the agency to caution against opaque practices in the "shadowy ad tech and  data broker ecosystem ," with consumers having little to no knowledge of how their personal data is harvested, used, and processed. This lack of awareness is compounded by the fact that mobile apps embed privacy-invasive software development kits (SDKs) that surreptitious

Popular video-sharing platform TikTok on Tuesday agreed to pause a controversial privacy policy update that could have allowed it to serve targeted ads based on users' activity on the social video platform without their permission to do so. The reversal, reported by  TechCrunch , comes a day after the Italian data protection authority — the Garante per la Protezione dei Dati Personali — warned the company against the change, citing violations of data protection laws. "The personal data stored in users' devices may not be used to profile those users and send personalized ads without their explicit consent," the Garante  said . The formal warning was in response to a privacy policy revision that noted the service had historically asked users' "consent" to their on-TikTok activity and off-TikTok activity to serve personalized ads and that, therefore, it intends to stop asking users for their permission to profile their behavior and process personal dat

Apple on Wednesday announced it plans to introduce an enhanced security setting called  Lockdown Mode  in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks." The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies developing state-sponsored surveillanceware such as  Pegasus ,  DevilsTongue ,  Predator , and  Hermit . Lockdown Mode, when enabled, "hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple  said  in a statement. This includes blocking most message attachment types other than images and disabling link previews in Messages; rendering inoperative just-in-time ( JIT ) JavaScript compilation; removing support for shared albums in Photos; a

Following heightened worries that U.S. users' data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it's taking steps to "strengthen data security." The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators, which further noted that the procedure requires the individuals to clear numerous internal security protocols. The contents of the letter, first  reported  by The New York Times, shares more details about TikTok's plans to address data security concerns through a multi-pronged initiative codenamed "Project Texas." "Employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team," TikTok CEO Shou Zi Chew wrote in the m

Following the footsteps of  Austria  and  France , the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations. The Garante per la Protezione dei Dati Personali, in a press release  published  last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users' personal data to be illegally transferred to the U.S. without necessary safeguards. This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device's operating system, screen resolution, and the selected language, as well as the date and time of the visits. The Italian supervisory authority (SA) said that it arrived at this conclusion following a "complex fact-finding exercise" it commenced in collaboration with other E.

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in  Google Play Protect  — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG)  said  in a Thursday report. Hermit, the work of an Italian vendor named RCS Lab, was  documented  by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages. Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, besides abusing its permissions to accessibility services on Android to keep tabs on various foreground apps used by the victims. Its modularity also enab

A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data. In a paper titled " MEGA: Malleable Encryption Goes Awry ," the researchers point out how MEGA's system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files. "Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client," ETH Zurich's Matilda Backendal, Miro Haller, and Kenneth G. Paterson said in an analysis of the service's cryptographic architecture. MEGA, which  advertises  itself as the "privacy company" and claims to provide user-controlled end-to-end encrypted cloud storage, has more than 10 million daily active users, w

A new research undertaken by a group of academics from the University of California San Diego has revealed for the first time that Bluetooth signals can be fingerprinted to track smartphones (and therefore, individuals). The identification, at its core, hinges on imperfections in the Bluetooth chipset hardware introduced during the manufacturing process, resulting in a "unique physical-layer fingerprint." "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals," the researchers  said  in a  new paper   titled  "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices." The  attack  is made possible due to the ubiquitous nature of Bluetooth Low Energy (BLE) beacons that are continuously transmitted by modern devices to enable crucial functions such as  contact tracing  during public health emergencies. The hardwa

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.  Dubbed  Peekaboo  by researchers from Carnegie Mellon University, the  system  "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers." Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose. To achieve this, the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that's then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis. The hub not only functions as a mediator between raw data from IoT devices and the respe