Meta’s data scraping: against the rules, but impossible to stop?
While we enjoy so many “free” online services like social media, our privacy becomes the price we have to pay.
Every one of us has been the victim of a data breach. If you’ve heard about our personal data leak checker or password leak checker, you might find that your number, email address or even password has been leaked at some point.
In some cases, leaks occur due to a cyber attack, a malicious insider, or simply the accidental loss or exposure of data. But threat actors don’t always need to penetrate the company’s network to get hold of our sensitive details.
Just last week, Facebook, long criticized for trading user data, was fined €265 million ($277 million at the time) by Ireland’s data protection regulator for a leak that exposed over 533 million Facebook user records. About a quarter of users’ phone numbers, names, genders, occupations, email addresses, locations and even marital status circulate freely online.
Threat actors no longer charge for this data – it’s out there for anyone to take advantage of. Facebook said it was taking action against data scraping, but is it enough?
Ireland launched an inquiry last year after a massive data set scraped from Facebook was made available online.
Ireland’s data protection watchdog, which consulted all EU data protection regulators before its decision, said Facebook breached the General Data Protection Regulation (GDPR), namely Articles 25(1) and 25(2).
The aforementioned rules discuss the necessity of data minimization and pseudonymization to protect data and ensure that “personal information is not made available without the intervention of the individual.”
Scraping is just that – someone harvesting available data about us online, from our usernames to emails and phone numbers to any other data that can be obtained from publicly available sources.
This is the second fine for Meta in just a couple of months. In September, Ireland had already fined Meta-owned Instagram 405 million euros (about $427,813) after investigating the public disclosure of children’s emails and phone numbers.
As scraping continues to be a challenge on the internet, Facebook opened up two new research areas to its bug bounty community and is now rewarding scraping bugs submitted by Gold+ Hacker Plus researchers.
Meta also says it is rewarding reports of unprotected or openly public data sets containing at least 100,000 unique Facebook user records that include information such as email, phone number, physical address and religious or political affiliation.
In July, Meta filed separate lawsuits in federal court against a US subsidiary of a Chinese national high-tech company Octopus and Ekrem Ateş for scraping data from Facebook and Instagram.
The company accused Octopus, a US subsidiary of a Chinese national high-tech enterprise, of building a cloud-based platform to give paying customers access to on-demand scraping software and services. A Turkey-based defendant, Ekrem Ateş, is being sued for allegedly using automated Instagram accounts to scrape data from the profiles of over 350,000 Instagram users.
However, WhatsApp has not released an official comment following reports of an alleged massive data leak, which makes us wonder if such a data set of user phone numbers can be obtained by scraping.
“While companies may have terms that prohibit it, they really need technical controls in place to prevent it. Any data that’s available can be scraped,” John Earle, president of cybersecurity consultancy Protocol 86, told Cybernews.
Can scratching be prevented?
The fact that companies don’t allow scraping doesn’t deter bad actors from abusing the applications’ native application programming interface (API), says Kyle Kurdziolek, senior cloud security manager at data management company BigID.
Stopping unwanted scraping is extremely difficult because, as Sam Crowther, CEO of anti-virus company Kasada, explained, you only get one chance to determine whether a request originates from a human or a bot—there’s no time to observe user behavior using machine learning (ML) or other means.
“Scraping bots are very difficult to detect because they look and act just like humans – hiding behind residential proxy networks and leveraging highly customized automation tools. It’s entirely possible that WhatsApp didn’t notice these scraping bot requests, Crowther said.
Bots are actually pretty hard to stop since requests usually don’t come from the same IP or session ID.
“Scrapers now have the ability to break up the scraping work into chunks and send them to different robots. I don’t mean 1 or 2, more like a thousand to 10-thousands of robots. That activity is harder to spot. I know this is accurate because security researchers use the same techniques to scrape threat actor forums and channels,” David Maynor, head of the Cyber Threat Intelligence Group (CTIG), told Cybernews.
Secure your WhatsApp
A private phone number belonging to an individual, unlike the contacts of government agencies and companies, is considered to be personally identifiable information (PII).
Therefore, companies must protect the information you share with them. Due to some security flaws or simple scraping that some companies turn a blind eye to, your data, such as your email address or phone number, may be leaked.
There are a few things you can do to ensure that your exposed information does not benefit threat actors:
Do not answer calls and texts from unknown members. Block anyone who raises suspicion.
Activate 2FA as soon as possible – go to WhatsApp Settings-Account and turn on the function.
Check that your profile information is not publicly visible. Go to Settings-Privacy and choose who can see your profile picture, “about” information and other account details. Make sure you only share these with a small group of people.
Don’t fall for scam support messages. We have noticed scammers offering their “help” by redirecting WhatsApp users to experts who can supposedly help recover the hacked account. The only way to recover a hacked account is by contacting official support.
More from Cybernews:
Weekly roundup: are you eligible for compensation from Facebook?
How to avoid hacking an airport hangover this holiday season
From NASA to TJX Companies hackers: five notorious cybercriminals who saw jail time
Sony and Lexar-trusted encryption providers leaked sensitive data for over a year
Sensory internet to ‘fundamentally change’ human consciousness – when it finally happens
China declares it has conquered gambling addiction
subscribe to our newsletter