Cyble, a cyber threat intelligence platform, which recently exposed the [sale of over 500,000 Zoom accounts](https://www.businessinsider.com/500000-zoom-accounts-sale-dark-web-2020-4?r=US&IR=T), is back with another worrying exposure: Cyble researchers have found a &#x201c;threat actor&#x201d; reveal the identities of 267 million Facebook users online for just 500 euros (₹ 41,500), as mentioned on Cyble&#x2019;s [blog](https://medium.com/@cyble/267-million-facebook-identities-for-500-euros-8ddceebdc170).

The data includes email addresses, names, Facebook IDs, dates of birth and phone numbers which Cyble researchers were able to buy, download and verify. While no passwords were exposed by the hacker, the data exposed is enough to put together a phishing scam&#x2014;which can lead to more valuable data being further stolen.

@AuCyble has uncovered a hacker selling 267 Million Facebook users identity for just USD$540.Protect yourself by changing your passwords regularly and using two-factor authentication. Find out more here: https://t.co/aimtGCPAS6— Sainty Law (@SaintyLaw) April 21, 2020



Sainty Law on Twitter

Late last year, that same number of User IDs were [found online](https://www.telegraph.co.uk/news/2019/12/20/facebook-personal-details-267-million-users-exposed-online/) for sale. &#x201c;We are looking into this,&#x201d; Facebook said at the time, &#x201c;but believe it is likely information obtained before changes we made in the past few years to better protect people&#x2019;s information.&#x201d;

Facebook also [revealed in November last year](https://developers.facebook.com/blog/post/2019/11/05/changes-groups-api-access/) that at least 100 app developers may have accessed Facebook users' data for months, confirming that at least 11 partners "accessed group members' information in the last 60 days".

While researchers state that they&#x2019;re not able to figure out yet as to how hackers managed to access the data, they are suspecting that it might be because of a leakage in third party API or web scraping. Web scraping refers to the extraction of data from a website into a spreadsheet or a local file; it is most commonly used for competitor analysis, betting and market research.

As people work and socialize from home, video conferencing software Zoom <a href="https://www.vice.com/en_us/article/m7qwgx/what-is-the-most-secure-video-conferencing-software" target="_blank">has exploded in popularity</a>. What the company and its privacy policy don't make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don't have a Facebook account, according to a Motherboard analysis of the app. This sort of data transfer is not uncommon, <a href="https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636" target="_blank">especially for Facebook</a>; plenty of apps use Facebook's software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook. But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether. "That's shocking. There is nothing in the privacy policy that addresses that," Pat Walshe, an activist from Privacy Matters who has analyzed Zoom's privacy policy, said in a Twitter direct message. Upon downloading and opening the app, Zoom connects to Facebook's Graph API, according to Motherboard's analysis of the app's network activity. The Graph API is the main way developers get data in or out of Facebook. Do you know anything else about data selling or trading? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a <a href="https://konsole.zendesk.com/hc/en-us/articles/115013349668-Identify-Android-AdIDs-Apple-IDFAs-and-Safari-IDs" target="_blank">unique advertiser identifier</a> created by the user's device which companies can use to <a href="https://www.singular.net/mobile-tutorial-series-idfa-apple-identifier-advertisers/" target="_blank">target a user with advertisements</a> The data being sent is similar to that which activist group the Electronic Frontier Foundation (EFF) found the app for <a href="https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers" target="_blank">surveillance camera vendor Ring sent to Facebook</a>. Will Strafach, an iOS researcher and founder of privacy-focused iOS app Guardian confirmed Motherboard's findings that the Zoom app sent data to Facebook. "I think users can ultimately decide how they feel about Zoom and other apps sending beacons to Facebook, even if there is no direct evidence of sensitive data being shared in current versions," he told Motherboard in a Twitter direct message."That's shocking. There is nothing in the privacy policy that addresses that." Zoom is not forthcoming with the data collection or the transfer of it to Facebook. Zoom's policy says the company may collect user's "Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)," but doesn't explicitly mention anything about sending data to Facebook on Zoom users who don't have a Facebook account at all.Facebook told Motherboard it requires developers to be transparent with users about the data their apps send to Facebook. Facebook's <a href="https://www.facebook.com/legal/technology_terms" target="_blank">terms say</a> "If you use our pixels or SDKs, you further represent and warrant that you have provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage," and specifically for apps, "that third parties, including Facebook, may collect or receive information from your app and other apps and use that information to provide measurement services and targeted ads." Zoom's privacy policy says "our third-party service providers, and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you when you use our Products," but does not link this sort of activity to Facebook specifically.Several days after Motherboard reached out for comment and a day after the publication of this piece, Zoom confirmed the data collection in a statement to Motherboard. "Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," the statement read, and described the data being collected as the same sorts of information that Motherboard identified. "To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data," the statement added.Zoom has a number of other potential <a href="https://www.vice.com/en_us/article/8xzjj4/zoom-video-conferencing-vulnerability-lets-hackers-turn-on-your-webcam" target="_blank">privacy issues too</a>. As the <a href="https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis" target="_blank">EFF laid out</a>, hosts of Zoom calls can see if participants have the Zoom window open or not, meaning they can monitor if people are likely paying attention. Administrators can also see the IP address, location data, and device information on each participant, the EFF added.Update: This piece has been updated to include a statement from Zoom. Subscribe to our cybersecurity podcast, <a href="https://itunes.apple.com/gb/podcast/cyber/id1441708044?mt=2" target="_blank">CYBER</a>.

vice

privacy

Tech

Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account

Coronavirus

Facebook

Software Development Kit

data transparency

privacy policy

COVID-19

If you&#x2019;re a Facebook user, it might be a good idea to change your password and to also ensure that you&#x2019;ve not reused this password elsewhere; password reuse is the single biggest enabler of account hijacks. Facebook has also advised users to enable the two-factor authentication to ensure any username and password breach will not enable an attacker to access your account. Users can check whether their email addresses have been found in dark web data breaches on [Cyble&#x2019;s site](https://amibreached.com/).

Hackers Sell Facebook Data of 267 Million Users for Just ₹ 41,500

Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account

ONE EMAIL. ONE STORY. EVERY WEEK. SIGN UP FOR THE VICE NEWSLETTER.