< ciso
brief />
Tag Banner

All news with #meta tag

48 articles

Meta’s NameTag controversy raises privacy alarms

🕶️ Meta’s Ray‑Ban smart glasses, boosted by AI, have sparked privacy concerns after leaked documents revealed a facial‑recognition feature called NameTag. The tool could match faces seen by the glasses to contacts or public profiles across Meta platforms and store unmatched faces in a “Pending” folder. Wired later reported that NameTag code and third‑party facial recognition components from Rank One Computing were embedded in the Meta AI companion app before being partially removed following public outcry.
read more →

Meta’s Muse Image enables reuse of public Instagram media

🖼️ Meta introduced Muse Image, an image-focused AI from Superintelligence Labs that can use public Instagram posts and reels to generate AI-created images, enabled by default. The feature lets users @-mention public accounts in the Meta AI app to incorporate specific profiles' media into new images and is being integrated into Instagram and WhatsApp in select countries. Users can opt out via Instagram Settings > Sharing and reuse, though previously created content will remain if generated before disabling the setting. For minors with public accounts, only followers may reuse their media if allowed; existing remixes won't notify original owners, and deleted content may be removed if accounts go private for over 24 hours.
read more →

Phishing campaign abused Facebook verification claims

🔒 Cybercriminals abused Facebook Messenger chatbots to deliver phishing messages that appeared to come from legitimate Facebook Business accounts. The campaign, active from November 2025 until June 2026, coaxed victims to log in on fake pages and surrender credentials, MFA codes, contact details and images of government IDs. Meta disrupted the infrastructure after Huntress reported the activity, but business accounts remain attractive targets.
read more →

Meta Prototypes Facial Recognition for Authorities

🔎 Meta is prototyping facial recognition systems intended for use by police and military, reportedly working with a Pentagon supplier to develop tools that can identify people in real time. The project follows longstanding interest from agencies like ICE in deploying camera-equipped eyewear and other devices for live identification. Concerns persist about privacy, accuracy, and potential misuse as the company explores real-time identification capabilities.
read more →

Meta pauses employee monitoring program after failures

🛑 Meta has frozen its Model Compatibility Initiative (MCI) after employees reportedly bypassed guardrails and accessed sensitive internal data, then did so again after an attempted fix. The program collected inputs like keystrokes, mouse movements, clicks, and screen content to train AI, and employees were initially not allowed to opt out. Meta says it found unauthorized access on June 18 and paused MCI while investigating, asserting no indication yet of improper access beyond what was reported. Analysts criticized inadequate protections and insufficient risk tagging for highly sensitive non-PII telemetry.
read more →

Smashing Security Podcast Episode 471 Overview

🎙️ Smashing Security episode 471 features Graham Cluley with guest James Ball discussing recent AI-related cybersecurity stories. They explore Meta AI mishaps that exposed passwords and an adaptive AI worm developed by University of Toronto researchers. The episode also touches on worms' history, the WannaCry aftermath, and the shifting legal and practical impacts of AI in cyber defense and offense.
read more →

Meta to Use Off‑Site Business Data for Personalization

🔒 Meta announced it will repurpose information businesses share about users' activity off its platforms to personalize Feed content and AI chatbot responses, expanding beyond targeted ads. The company said no new data collection is involved and that users can control this through an updated "Activity from other businesses" setting, replacing "Your activity off Meta technologies." The change will roll out next month in the U.S. and several other countries.
read more →

Meta: 20,225 Instagram Accounts Exposed by Bug

🔒 Meta disclosed that a bug in its AI-powered High Touch Support (HTS) tool allowed attackers to request password reset links to email addresses not associated with targeted Instagram accounts, enabling unauthorized access where two-factor authentication was not enabled. The issue was discovered on May 31, affecting 20,225 users and exposing contact details, profile data, posts, messages and activity history. Meta disabled the HTS tool, invalidated reset links, enforced mandatory security checkpoints on impacted accounts, and instructed users to reset passwords and enable 2FA while it reviews recovery flows.
read more →

Meta AI support flaw led to large Instagram account hijacks

🔒 Meta disclosed that a vulnerability in its AI-assisted High Touch Support (HTS) tool allowed threat actors to reset passwords and hijack over 20,000 Instagram accounts. Attackers exploited HTS by submitting email addresses not verified against target accounts, obtaining reset links for accounts without 2FA. Meta disabled the HTS system, invalidated generated reset links, secured impacted accounts, and required affected users to reset passwords and re-authenticate. The company said it will fix the verification check and review similar recovery flows across its platforms.
read more →

When AI Support Workflows Become an Authorization Risk

🔒 Reporting suggests attackers used Meta’s AI support chatbot to change recovery emails on high-profile Instagram accounts, leading to notable takeovers. The core issue isn’t just prompt injection or a model jailbreak but that the AI operated within a sensitive account recovery workflow with insufficient independent verification. Organizations must treat AI-driven support actions as part of the security boundary and constrain authority, permissions, and verification around such agents.
read more →

AI Support Bot Exploit Lets Attackers Hijack Instagram

🔒 A wave of account takeovers targeted high-profile Instagram profiles after attackers shared instructions for tricking Meta’s AI support assistant into relinking accounts to attacker-controlled email addresses. The technique, circulated on Telegram on May 31, reportedly involved using a VPN to appear from the target’s locale, initiating a password reset, and persuading the AI bot to add a new email. Meta acknowledged a brief compromise of a dormant Obama White House account and pushed an emergency patch while asserting no backend database was breached. Experts warn AI-driven support flows introduce new attack surface and recommend strong MFA such as passkeys or security keys to mitigate risk.
read more →

Meta smart glasses, Copy Fail bug, and deepfake hire

🔍 Meta’s smart glasses were found to upload audio and video to contractors in Nairobi for human labelling, prompting the dismissal of 1,108 workers after whistleblowers exposed the practice. The episode contrasts that privacy failure with a measured analysis of the Linux Copy Fail privilege‑escalation issue and an experiment by Jake Moore demonstrating how a convincing deepfake passed a remote job interview. Practical takeaways include patching kernels promptly, strengthening hiring verification, and demanding clearer vendor transparency.
read more →

FTC: Americans Lost Over $2.1B to Social Media Scams in 2025

📢 The FTC reports Americans lost more than $2.1 billion to social media scams in 2025, an eightfold increase since 2020. Facebook accounted for the largest share of reported losses across most age groups, while WhatsApp and Instagram trailed. The agency warns scammers exploit hacked accounts, targeted posts, and paid ads to reach victims at scale. Meta removed millions of scam ads and accounts and rolled out new warnings and protections.
read more →

LinkedIn's Hidden Script Scans 6,000+ Chrome Extensions

🔍 LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.
read more →

LinkedIn scans 6,000+ Chrome extensions, gathers device info

🔍 A new report named BrowserGate alleges that LinkedIn injects hidden JavaScript into user sessions to probe browsers for installed extensions and collect device characteristics. BleepingComputer independently observed a randomized script that attempted to detect 6,236 extensions by checking extension resource URLs and also harvested CPU, memory, screen, timezone, battery, audio, and storage details. LinkedIn says it looks for extensions that scrape content or violate its Terms and uses detection to inform defenses and enforcement, while the report warns this scanning could map competitors' customers and enable profiling. The use and sharing of the collected data have not been independently verified.
read more →

WhatsApp Alerts 200 Users After Fake iOS App Spyware

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.
read more →

WhatsApp adds AI tools, iOS multi-account and transfers

🤖 WhatsApp is rolling out several usability and AI-driven features, including a Writing Help reply assistant that uses Private Processing, and photo touch-up powered by Meta AI. The update also enables two accounts on iOS, a chat history transfer from iOS to Android, and a utility to locate and remove large media. Meta has also expanded anti-scam protections and introduced parent-managed accounts and a lockdown security mode for high-risk users.
read more →

Google and Partners Sign Global Accord to Combat Scams

🤝 Google announced it has signed the Industry Accord Against Online Scams & Fraud with major industry partners including Adobe, Amazon, LinkedIn, Meta, Microsoft and OpenAI. The agreement commits participants to unify capabilities, share threat intelligence and coordinate defenses against sophisticated, cross-border scam networks. Google said it will expand technical support and deploy AI-driven detection tools, building on $15 million in Google.org funding. In 2026 the company will share more through the Global Signal Exchange and publish guides on data sharing, private sector referrals to law enforcement, and public policy frameworks.
read more →

Meta to End Instagram End-to-End Encryption Support

🔒 Meta will discontinue support for end-to-end encryption for Instagram chats after May 8, 2026, and says affected users will receive instructions to download any messages or media they wish to keep. The company notes some users may need to update older versions of the app before downloading impacted chats. The encrypted-direct-messaging feature was first tested in 2021 and remains available only in select regions and not enabled by default.
read more →

WhatsApp rolls out parent-managed accounts for pre-teens

🔒 WhatsApp has begun rolling out parent-managed accounts for pre-teens, enabling guardians to control who can contact their child and which groups they can join. These managed profiles limit the child to messaging and calling, exclude access to Meta AI, Channels, Status, and location sharing, and preserve end-to-end encryption so messages cannot be read by third parties. Setup requires both devices present: parents verify the child's number, scan a QR code to link accounts, and set a 6-digit PIN to lock parental controls. By default children can message only saved contacts and parents must approve group additions; the child can switch to a standard account at 13.
read more →