Cybersecurity news headlines for 15-30 April, 2019

Cybersecurity news headlines for 15-30 April, 2019

To continue our April edition of cybersecurity news headlines, we have 3 stories to report on. We talk about Facebook, its data harvesting practises and inability to secure user data, as well as report on MalwareTech pleading guilty to two charges to conspiring to create and distribute the banking trojan Kronos.

Facebook admits to collecting email contacts of 1.5 million users

Facebook is severely lacking when it comes to protecting its users’ data. After the whole Cambridge Analytica debacle, many other privacy related issues came to light, and it seems to be only getting worse.

Earlier this month, it was revealed that Facebook used a rather dubious email verification system for new users. The questionable system, which according to Facebook is no longer is use, asked users to provide their email passwords. Supposedly, this practise was implemented to make verifying email addresses easier, but it ended up being yet another privacy disaster for Facebook. In addition to this highly unsafe and intrusive verification system, it was also revealed that when users provided their email credentials, a pop-up would notify them that Facebook was importing their email contacts. There were no indications that this would be done, and the data harvesting was performed without users’ permission.

Facebook did admit that the practise “isn’t the best way to go about this”, but the question is why they thought asking for email credentials was a good idea in the first place. While Facebook says the data harvesting was unintentional, that does not change the fact that around 1.5 million users potentially had their email contact information uploaded onto Facebook.

Facebook claims that the provided email passwords were not saved and the uploaded contacts were not shared with anyone, but the social media giant is giving users less and less reason to trust its claims.

Facebook admits to storing millions of plaintext Instagram passwords

If you followed the news last month, you will remember that Facebook admitted to accidentality storing millions of plaintext passwords of Facebook and Facebook Lite users. Initially, it was believed that only tens of thousands (a small number in comparison) of Instagram passwords were stored in plaintext, but the social media giant later revealed that it’s actually millions. However, the exact number was not specified. Affected Instagram users should be informed along with the Facebook ones.

“We discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users,” Facebook said in an update of the situation published on April 18, 2019.

Facebook has reassured users that the stored passwords were not abused or accessed by anyone.

“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Even with Facebook reassurances, it’s highly recommended for affected users to change their passwords.

Security researcher MalwareTech pleads guilty to Kronos charges

Marcus Hutchins, known as MalwareTech online, has pleaded guilty to conspiring to create and distribute the banking trojan Kronos. Hutchins is often referred to as the “accidental hero” who prevented the spread of WannaCry ransomware. Back in 2017, when the WannaCry ransomware was wrecking havoc across the world, Hutchins sinkholed a domain used by the ransomware and successfully halted the spread of the infection. All major medial outlets across the word reported on WannaCry, and after Hutchins successfully halted its spread, he became a media sensation. Back then, he was solely going by MalwareTech, but his identity was revealed soon after by media outlets.

In the same year, Hutchins was arrested in Las Vegas by the FBI on suspicion of creating/selling the Kronos banking trojan between 2012 and 2015. A British citizen, he was banned from leaving the US. After almost two years of denying charges, Hutchins has accepted a plea deal and pleaded guilty to two counts of creating and selling banking malware. The remaining 8 charges have been dropped.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” Hutchins said in statement about the case.

The security researcher, who has made a lot of contribution to the cybersecurity field, now faces up to 5 years in prison and a potential penalty of up to $250,000 for each charge.