Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Facebook leaked data. Show all posts

3.8 Billion Clubhouse and Facebook User Records are Being Sold Online

 

According to CyberNews, a database holding the records of about 3.8 billion Clubhouse and Facebook users is being auctioned at a major hacker forum. The person selling them is reportedly asking for $100,000 for the complete database but is ready to split it up into smaller caches for lower costs. 

These records contain sensitive information such as phone numbers, addresses, and names, among other things. All of this information appears to have been obtained through a breach of Clubhouse's systems on July 24th, during which numerous members' phone numbers were exposed online. However, the damage isn't limited to Clubhouse's users. 

According to the September 4 post, the database also contains profiles of users who do not have Clubhouse accounts, whose phone numbers may have been obtained by threat actors as a result of Clubhouse's previous requirement that users share their entire contact lists with the social media platform in order to use it. 

Because the platform requires users to sync their contacts with the app, contact numbers from a user's phone can also be revealed if the company's servers are hacked. And it appears that this is exactly what occurred. As a result, those who do not have a Clubhouse ID and password have their data exposed to the hacker site and may be at risk. While it is still unclear how Facebook user IDs ended up in the mix, it is plausible that the cybercriminal compared the revealed numbers to those found in prior Facebook hacks, which have been many.

Prior to this compilation, threat actors had little use for the purportedly scraped Clubhouse phone numbers, which were posted without any additional information about the participants. As a result, the prior Clubhouse scrape was labeled a "bad sample" on the forum and failed to pique scammers' interest. 

However, according to CyberNews senior information security expert Mantas Sasnauskas, the expanded compilation “could serve as a goldmine for scammers.” They would obtain access to a lot more contextual information about the owners of the hacked phone numbers, according to Sasnauskas, such as usernames, locations based on phone number suffixes, Clubhouse network sizes, and Facebook profiles. 

This means that scammers would be able to launch localized mass campaigns and create customized scams based on information acquired from potential victims' Facebook accounts much more easily. “People tend to overshare information on social media. This could give insights for scammers on what vector to employ to run their scams successfully by, for example, calling people with the information they learned from their Facebook account,” says Sasnauskas.

Facebook Data Breach: API Security Risks


In the year 2018 Facebook disclosed a massive data breach due to which the company had to face a lawsuit along with allegations of not properly securing its user data. The breach directly affected the authentication tokens of nearly 30 million of its users which led to the filing of several class-action complaints in a San Francisco appeals court. In the wake of the incident, Facebook pledged to strengthen its security.

A feature, known as "View As" which was employed by developers to render user pages was exploited by hackers to get access to user tokens. The theft of these tokens is associated with the advancement of a major API security risk, it also indicates how API risks can go unnoticed for such a long time frame. The trends in digital up-gradation have further pushed the process of continuous integration and continuous delivery – CI/CD, which are closely related concepts but are sometimes used interchangeably. The main purpose of continuous delivery is to ensure that the deployment of a new code takes the least possible effort. It enables DevOps to maintain a constant flow of software updates to fasten release patterns and reduce the risks related to development.

Conventionally, developers used to work on the parts of an application– one at a time and then manually merge the codes. The process was isolated and time-consuming, it led to the duplication of code creation efforts. However, as the IT ecosystem went on embracing the new CI/CD model and effectively sped up the development process while ensuring early detection of bugs, almost all the security has been commercialized by ace infrastructure providers namely Microsoft and Amazon. The commodities offered include authorization, container protection and encryption of data. Similarly, security components of first-generation firewalls and gateways like the protection of denial-of-service (DDoS) attacks also constitute the infrastructure.

When it comes to navigating and communicating – especially through an unfamiliar space, APIs are a powerful tool with great flexibility in their framework. However, similar reasons also make APIs equally vulnerable also.

While giving insights into the major IT risk posed by APIs, Terry Ray, chief security officer for Imperva told, "APIs represent a mushrooming security risk because they expose multiple avenues for hackers to try to access a company's data."

"To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications."

The API threat is basically rooted in its lack of visibility, Subra Kumaraswamy, the former head of product security at Apigee, an API security vendor owned by Google, while putting the risk into the perspective, told: "When you have visibility into your APIs throughout your organization, you can then put controls in place."

"You might decide that a certain API should only be exposed to in-house developers, not external, third-party ones. If you don't have visibility, you can't see who is accessing what."

While labeling the authorization and improper asset management as areas of key concern, Yalon told, “Authorization mechanisms are complex because they are not implemented in one place, but in many different components like configuration files, code, and API gateways."

“Even though this sometimes may look like simple housekeeping, having a very clear understanding of the APIs, with well-maintained inventory, and documentation (we whole-heartedly recommend Open API Specification) is very critical in the world of APIs,” he further said.

Facebook used user data to control competitors and rivals


Leaked documents from a lawsuit filed by a now-defunct startup Six4Three on Facebook shows some 700 pages revealing how Facebook leveraged user data against rivals and offered it up as a sop to friends.

NBC News reported how Facebook's executive team harnessed user data and used it as a bargaining chip to manipulate rivals. There are thousands of leaked documents to support that this was done under the supervision of the company's CEO Mark Zuckerberg.



NBC News has published an entire log of documents containing 7,000 pages including 4,000 internal communications such as emails, web chats, notes, presentations, spreadsheets on Facebook. These documents are dated between 2011 and 2015 that disclose the company's strategy of rewarding partners by giving them preferential data while denying the same to competitors.

The lawsuit that resulted in this major leak, was filed by Six4Three, a now inoperative startup which created the failed app Pikinis. The app allowed users to view pictures posted by people on Facebook and in order to work, the software required access to data on Facebook. The suit accuses Facebook of misusing and abusing data and uneven distribution of it. Other apps including Lulu, Beehive ID, and Rosa Bandet couldn't do business anymore after losing access to data.

The documents also revealed similar operations, for instance, the social network company gave extended access to user data to Amazon, as it partnered with Facebook and spent on Facebook advertising while denied data to MessageMe, a messaging app when it grew large enough to be a competition to Facebook.

Commenting on the documents, Facebook’s vice president and deputy general counsel, Paul Grewal, told NBC News, “As we’ve said many times, Six4Three — creators of the Bikinis app — cherry-picked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app’s users.” However, no evidence has been provided by the company to support the "cherry-picked" claim.

In March, this year Zuckerberg said, that Facebook would focus more on its user's privacy as the social network's future. But for Facebook, privacy seems like a PR stunt and data more of a currency.