At a glance.
- Meta warns Facebook users about malicious apps.
- Toyota leaves the keys in the car door.
- Dialog IT discloses security incident.
Meta warns Facebook users about malicious apps.
Facebook’s corporate parent Meta has issued warnings to one-million Facebook users that their account data might have been compromised by third-party apps downloaded from Google’s Play Store and Apple’s App Store. Meta’s security researchers discovered over four hundred apps disguised as harmless services like photo editors, VPN services, and fitness trackers, are actually designed to steal users’ Facebook account credentials. By requiring users to “Log In with Facebook” to access their features, the apps are harvesting the Facebook login info. Most of the apps are designed for Android, and while the majority are consumer applications, nearly fifty seem to specifically target individuals using Facebook’s business tools.
Adding insult to injury, most of the apps don’t even offer the services they advertise. “Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login,” Meta’s Director of Threat Disruption, David Agranovich, told Engadget. In addition to sending warnings via push notifications to Facebook users, Meta shared its findings with both Apple and Google, and both companies have confirmed that the scam apps have been removed from their stores.
Toyota leaves the keys in the car door.
Leading carmaker Toyota has disclosed that an access key was made publicly available on an internet hosting service, leaving customer data exposed for nearly five years. Last month the company discovered that a portion of the source code for T-Connect, the automaker's official smartphone connectivity app, was inadvertently published on GitHub, and the code included an access key to a server containing the email addresses and management numbers of nearly 300,000 customers. Bleeping Computer notes that, after making the discovery, the auto manufacturer changed the database’s keys in order to lock out any potential prying eyes. Toyota claims a development subcontractor is at fault for the error, but recognizes they should not have allowed it to happen. Compromised individuals have been advised to be on their lookout for any suspicious email activity.
Dialog IT discloses security incident.
Australian infotech company Dialog IT has disclosed it suffered a security incident in which an unauthorized user “may have accessed company data, potentially affecting fewer than 20 clients and 1,000 current Dialog employees as well as former employees." A sample of the allegedly stolen data, including some personal employee information, has been published on the dark web. CRN Australia explains that Dialog first learned of the breach on September 10 and shut down the impacted servers for two days as a precaution. Though a forensic investigation showed no evidence that any data had been exfiltrated, on October 7 the data sample was discovered on the dark web. The incident makes Dialog IT the second Australian company owned by Singapore Telecommunication Ltd, or Singtel, to have recently experienced a security incident, as last week mobile provider Optus also disclosed a breach that potentially exposed the data of its millions of customers. There is reportedly no connection between the two incidents, and the Dialog data exposure is orders of magnitude smaller than the one that affected Optus.