Daily Archives: January 18, 2021

Socialarcs 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users. Again.

Posted on by

High-flying and rapidly growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers.

The company’s unsecured ElasticSearch database contained personally identifiable information (PII) from at least 214 million social media users from around the world, using both populist consumer platforms such as Facebook and Instagram, as well as professional networks such as LinkedIn.

The Elastic instance was discovered as part of Safety Detectives’ cybersecurity mission of discovering online vulnerabilities that could potentially pose risks to the general public.  Once the owner of the data is identified, our team then informs the affected parties as soon as possible to mitigate the risk of any cybersecurity breaches and server leaks.

In Socialarks’ case, our team found the ElasticSearch server to be publicly exposed without password protection or encryption, during routine IP-address checks on potentially unsecured databases.

The lack of security apparatus on the company’s server meant that anyone in possession of the server IP-address could have accessed a database containing millions of people’s private information.

According to Anurag Sen, head of the Safety Detectives cybersecurity team, the affected database contained a “huge trove” of sensitive personal information to the tune of 408GB and more than 318 million records in total.

Given the sheer size of the data leak, it has been severely challenging for our team to unravel the full extent of the potential damage caused.

Our research team was able to determine that the entirety of the leaked data was “scraped” from social media platforms, which is both unethical and a violation of Facebook’s, Instagram’s and LinkedIn’s terms of service.

Moreover, it is important to note that Socialarks suffered a similar data breach in August 2020 leading to data from 150 million LinkedIn, Facebook and Instagram users being exposed.

Almost as a carbon-copy, August’s database breach revealed reams of personal data from 66 million LinkedIn users, 11.6 million Instagram accounts and 81.5 million Facebook accounts.

From the leaked data we discovered, it was possible to determine people’s full names, country of residence, place of work, position, subscriber data and contact information, as well as direct links to their profiles.

[…]

The database contained more than 408GB of data and more than 318 million records.

What was leaked?

Without any protection whatsoever, our research team discovered the following:

  • 11,651,162 Instagram user profiles
  • 66,117,839 LinkedIn user profiles
  • 81,551,567 Facebook user profiles
  • a further 55,300,000 Facebook profiles which were summarily deleted within a few hours after our team first discovered the server and its vulnerability.

What was  surprising, that the numbers of profiles affected in the data leak found by our team are the same as the numbers mentioned in the August data leak.  However, there were big differences, such as size of a database, the companies hosting those servers and the amount of indices.

The affected server, hosted by Tencent, was segmented into indices in order to store data obtained from each social media source. Our team discovered records from 3 major social media platforms: Instagram, Facebook and LinkedIn.

Instagram data

The Instagram index contained various popular personalities and online celebrities.

Our team discovered several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.

Instagram data

Celebrity Instagram profile including phone number and email address.

Every record contained public data scraped from influencer Instagram accounts, including their biographies, profile pictures, follower totals, location settings as well as personal information such as contact details in the form of email addresses and phone numbers.

Instagram data

The Instagram records exposed the following details:

  • Full name
  • Phone numbers for 6+ million users
  • Email addresses for all 11+ million users
  • Profile link
  • Username
  • Profile picture
  • Profile description
  • Average comment count
  • Number of followers and following count
  • Country of location
  • Specific locality in some cases
  • Frequently used hashtags

Facebook data

As mentioned above, the leak exposed 81.5 million Facebook user profiles with over 40 million exposed phone numbers and a further 32 million email address entries. Notably, most of the phone numbers our team discovered originated from pages and not individuals.

The Facebook records exposed the following details:

  • Full name
  • ‘About’ text
  • Email addresses
  • Phone numbers
  • Country of location
  • Like, Follow and Rating count
  • Messenger ID
  • Facebook link with profile pictures
  • Website link
  • Profile description

LinkedIn data

Finally, our team discovered 66.1 million LinkedIn user profiles with as many as 31 million leaked email addresses (not disclosed in the profile but obtained through other, as yet unknown, sources).

The LinkedIn records exposed the following details:

  • Full name
  • Email addresses
  • Job profile including job title and seniority level
  • LinkedIn profile link
  • User tags
  • Domain name
  • Connected social media account login names e.g., Twitter
  • Company name and revenue margin
LinkedIn data

Database search showing 66 million LinkedIn profile results including personal information such as job title, name and email address.

The chart below shows a sample breakdown of user-profiles, sorted by country, from a sample of 42 million records.

LinkedIn data

Unexplained presence of Instagram and LinkedIn personal data

Socialarks’ database contained scraped data including personal information, albeit user data was partially completed.

However, according to our findings, Socialarks’ database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts. How Socialarks could possibly have access to such data in the first place remains unknown.

Also, the fact that such a large, active, and data-rich database was left completely unsecured (probably for a second time) is astonishing.

It remains unclear how the company managed to obtain private data from multiple secure sources.

Unexplained presence of Instagram and LinkedIn personal data

Instagram profile showing email and phone number despite information not being provided to Instagram.

It is also worth noting that Socialarks is based in China and was founded with private venture capital in 2014, while the vulnerable server is located in Hong Kong.

Source: Chinese start-up leaked 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users

AI upstart stealing facial data told to delete data and algorithms

Posted on by

Everalbum, a consumer photo app maker that shut down on August 31, 2020, and has since relaunched as a facial recognition provider under the name Paravision, on Monday reached a settlement with the FTC over the 2017 introduction of a feature called “Friends” in its discontinued Ever app. The watchdog agency claims the app deployed facial recognition code to organize users’ photos by default, without permission.

According to the FTC, between July 2018 and April 2019, Everalbum told people that it would not employ facial recognition on users’ content without consent. The company allegedly let users in certain regions – Illinois, Texas, Washington, and the EU – make that choice, but automatically activated the feature for those located elsewhere.

The agency further claims that Everalbum’s use of facial recognition went beyond supporting the Friends feature. The company is alleged to have combined users’ faces with facial images from other information to create four datasets that informed its facial recognition technology, which became the basis of a face detection service for enterprise customers.

The company also is said to have told consumers using its app that it would delete their data if they deactivated their accounts, but didn’t do so until at least October 2019.

The FTC, in announcing the case and its settlement, said Everalbum/Paravision will be required to delete: photos and videos belonging to Ever app users who deactivated their accounts; all face embeddings – vector representations of facial features – from users who did not grant consent; and “any facial recognition models or algorithms developed with Ever users’ photos or videos.”

The FTC has not done this in past privacy cases with technology companies. According to FTC Commissioner Rohit Chopra, when Google and YouTube agreed to pay $170m over allegations the companies had collected data from children without parental consent, the FTC settlement “allowed Google and YouTube to profit from its conduct, even after paying a civil penalty.”

Likewise, when the FTC voted to approve a settlement with Facebook over claims it had violated its 2012 privacy settlement agreement, he said, Facebook did not have to give up any of its facial recognition technology or data.

“Commissioners have previously voted to allow data protection law violators to retain algorithms and technologies that derive much of their value from ill-gotten data,” said Chopra in a statement [PDF]. “This is an important course correction.”

[…]

Source: Privacy pilfering project punished by FTC purge penalty: AI upstart told to delete data and algorithms • The Register

Tesla Would Take Nearly 1,600 Years To Make The Amount Of Money The Stock Market Values It At

Posted on by

Tesla is an oddity in the business landscape. The company’s stock is so stratospheric that Elon Musk has surpassed Jeff Bezos as the world’s richest person. Now, we have another mind-blowing metric. At Tesla’s current price-to-earnings ratio, it would take the company almost 1,600 years to make what the stock market says it’s worth.The New Statesman put up a startling comparison. In 2020, Tesla delivered 499,550 vehicles. Yet, its market capitalization shot up to $750 billion dollars. Comparatively, General Motors delivered 2.5 million vehicles in the same year, yet its market value is only $62 billion. Tesla’s price-to-earnings ratio — a comparison of current share price to earnings per share — is roughly 128X (the industry average is 15X), according to Zacks Investment Research. Based on that ratio, it would take Tesla 1,600 years to make the kind of money the stock market says it’s worth.

Source: Tesla Would Take Nearly 1,600 Years To Make The Amount Of Money The Stock Market Values It At

Amazon Ring Neighbors App Left User Data Exposed, incl addresses, lat + long

Posted on by

Ring, the Amazon-owned friend to nosy police departments everywhere, has suffered another embarrassing security stumble. The surveillance company’s Neighbors app—which was launched in 2018 as a kind of “neighborhood watch” feature—apparently left users exact geographical data and home address information exposed to the internet.

Neighbors is Ring’s online forum where users can share public safety information about what’s going on in their communities. It’s basically a more dystopian version of Nextdoor. Posts on Neighbors are public but supposedly anonymous, with a poster’s full name and location obscured. Yet, due to the recently discovered security bug, a savvy web explorer would’ve been able to access information about the home addresses, as well as the exact latitude and longitude, of a poster’s location, TechCrunch reports.

Similarly, every time a user posted on Neighbors, Ring servers generated a unique number for the post. These numbers increased incrementally with each post, making it easy to tie the identifying number to other information about the poster, including geographical data, according to TechCrunch. All of this was invisible to the app user, however.

Source: Amazon Ring Neighbors App Left User Data Exposed

I still don’t understand the use case for Ring. “I’m not here, leave the package” – right, I’ll just break in now then!

NYPD posts surveillance systems and use and requests comments

Posted on by

Beginning, January 11, 2020, draft surveillance technology impact and use policies will be posted on the Department’s website. Members of the public are invited to review the impact and use policies and provide feedback on their contents. The impact and use policies provide details of: 1) the capabilities of the Department’s surveillance technologies, 2) the rules regulating the use of the technologies, 3) protections against unauthorized access of the technologies or related data, 4) surveillance technologies data retention policies, 5) public access to surveillance technologies data, 6) external entity access to surveillance technologies data, 7) Department trainings in the use of surveillance technologies, 8) internal audit and oversight mechanisms of surveillance technologies, 9) health and safety reporting on the surveillance technologies, and 10) potential disparate impacts of the impact and use policies for surveillance technologies.

Source: Draft Policies for Public Comment

Epic Games files competition lawsuit against Google in the UK over Fortnite’s ejection from Play Store

Posted on by

Epic Games intends to file a competition lawsuit against Google in the UK as part of the ongoing Fortnite-kicked-off-platforms saga, according to documents lodged with the Competition Appeal Tribunal.The lawsuit will allege that Google, holder of “a dominant position in the Android app distribution market”, has unfairly restricted “competition from alternative app stores and other channels for the distribution of apps” [PDF].The legal action the games dev is taking in the UK is similar to a US lawsuit it filed against Apple, which ejected Epic from its App Store in a commercial spat about cult game Fortnite.The dispute is over exclusivity and how much of a cut Google takes from in-game microtransactions in Fortnite. As we reported back in 2018, Epic launched the Android version of Fortnite through its own website rather than the Google Play Store, the official app repository for Android. This initially deprived Google of its 30 per cent cut of Android app sale prices, though the app was later released through the Play Store.At the time, Epic chief exec Tim Sweeney had a good old spleen-venting session about the “economics of the store ecosystem as it exists right now”.In August 2020, Epic introduced what its Competition Appeal Tribunal (CAT) claim described as “a direct payment option into the Fortnite app on the Google Play Store. This enabled consumers to pay Epic directly for in-app content instead of using Google’s payment processor.” Google responded by ejecting Fortnite from the Play Store altogether.Epic is set to allege that Google is “using its market position to charge unfair prices for the distribution of apps via the Google Play Store and/or in relation to the purchase of digital in-app content within those apps,” breaking section 18 of the Competition Act 1998 and Article 101 of the Treaty on the Functioning of the European Union.

Source: Epic Games files competition lawsuit against Google in the UK over Fortnite’s ejection from Play Store • The Register

WhatsApp delays enforcement of privacy terms by 3 months, following backlash

Posted on by

WhatsApp said on Friday that it won’t enforce the planned update to its data-sharing policy until May 15, weeks after news about the new terms created confusion among its users, exposed the Facebook app to a potential lawsuit, triggered a nationwide investigation and drove tens of millions of its loyal fans to explore alternative messaging apps.

“We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8. We’re also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15,” the firm said in a blog post.

Source: WhatsApp delays enforcement of privacy terms by 3 months, following backlash | TechCrunch

I’m pretty sure there is no confusion. People just don’t want all their data shared to Facebook when they were promised it wouldn’t be. So they are leaving to Signal and Telegram.

Apple Is Reportedly Cracking Down on App Sideloading on M1 Macs

Posted on by

Earlier this week, 9to5Mac spotted some iOS and macOS beta code that suggested Apple would prevent users from being able to sideload unsupported apps onto the new M1 Macs. Today, 9to5Mac reported that it’s now no longer possible to sideload apps that aren’t available in the Mac App Store even if they’re available on iOS.

You can run iOS and iPadOS apps on your M1 Mac, but only if a developer supports it. Per the report, users had been sideloading apps with tools like iMazing from their iPhones or iPad and could use them on their Apple Silicon computers whether or not they were technically supported. Now, when attempting to sideload an app not available in the Mac App Store on an M1 Mac running the macOS 11.2 beta, users will see an error message that the application “cannot be installed because the developer did not intend for it to run on this platform,” according to a screengrab from 9to5Mac.

[…]

Source: Apple Is Reportedly Cracking Down on App Sideloading on M1 Macs

If it’s fun, you can’t have it. Sieg Heil Apfel!

Virgin Orbit launches rocket off a 747 aircraft, puts satellites into orbit

Posted on by

A 70-foot rocket, riding beneath the wing of a retrofitted Boeing 747 aircraft, detached from the plane and fired itself into Earth’s orbit on Sunday — marking the first successful launch for the California-based rocket startup Virgin Orbit.

Virgin Orbit’s 747, nicknamed Cosmic Girl, took off from California around 10:30 am PT with the rocket, called LauncherOne, nestled beneath the plane’s left wing. The aircraft flew out over the Pacific Ocean before the rocket was released, freeing LauncherOne and allowing it to power up its rocket motor and propel itself to more than 17,000 miles per hour, fast enough to begin orbiting the Earth.
“In both a literal and figurative sense, this is miles beyond how far we reached in our first Launch Demo,” the company posted on its Twitter account.
The rocket flew a group of tiny satellites on behalf of NASA’s Educational Launch of Nanosatellites, or ELaNa, program, which allows high school and college students to design and assemble small satellites that NASA then pays to launch into space. The nine small satellites that Virgin Orbit flew on Sunday included temperature-monitoring satellite from the University of Colorado at Boulder, a satellite that will study how tiny particles collide in space from the University of Central Florida, and an experimental radiation-detection satellite from the University of Louisiana at Lafayette.
About four hours after takeoff on Saturday, Virgin Orbit confirmed in a tweet that all the satellites were “successfully deployed into our target orbit.”
The successful mission makes Virgin Orbit only the third so-called “New Space” company — startups hoping to overhaul the traditional industry with innovative technologies — to reach orbit, after SpaceX and Rocket Lab. The success also paves the way for Virgin Orbit to begin launching satellites for a host of customers that it already has lined up, including NASA, the military and private-sector companies that use satellites for commercial purposes.
[…]

Source: Virgin Orbit launches rocket off a 747 aircraft – CNN