The FileFix attack impersonated a Facebook security alert, tricking users into executing malicious commands disguised as a PDF file appeal process. Victims unknowingly ran a multi-stage payload that dropped the StealC infostealer, a malware capable of harvesting credentials from browsers (Chrome, Firefox, Opera, etc.), cryptocurrency wallets (20+ types), messaging apps (Telegram, Discord, Thunderbird), VPNs (OpenVPN, Proton VPN), cloud services (AWS, Azure), and gaming platforms (Ubisoft, Battle.net). The attack leveraged AI-generated decoy images (e.g., houses, doors) embedded with PowerShell scripts and encrypted executables, evading detection by mimicking benign user actions (downloading a JPG). The malware also checked for virtual machines (VMs) to avoid sandbox analysis. While the article does not confirm direct financial losses or data breaches at Facebook, the campaign’s global reach (US, Germany, China, etc.) and sophisticated evasion techniques suggest high-risk exposure for users’ personal, financial, and corporate credentials. The attack’s rapid evolution (from a July 2023 PoC to a 517% surge in 6 months) highlights its effectiveness in bypassing traditional phishing defenses, posing reputational harm to Facebook’s platform security and potential downstream fraud for affected users.

Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook. It exposed the data belonging to millions of Facebook users. The Data Protection Commission is also imposing a range of corrective measures on Meta. On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

A threat actor published the phone numbers and account details of about 533 million Facebook users. The leaked data included information that users posted on their profiles including Facebook ID numbers, profile names, email addresses, location information, gender details, and job data. The database also contained phone numbers for all users, information that is not always public for most profiles.

Facebook is charged with another fine. This time the social network is handing over CAD$9 million (US$6.5 million / £5.3 million) to Canada as part of a settlement. Facebook “made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger” and improperly shared data with third-party developers. Facebook gave the impression that users could control who could see and access their personal information on the Facebook platform when using privacy features. Facebook also allowed certain third-party developers to access the personal information of users’ friends after they installed certain third-party applications.

Russian court fines social media company Facebook $63,000 over data law breach. Facebook failed to comply with a Russian data law. The Tagansky District Court in Moscow fined Facebook for its refusal to put its server holding data about Russian citizens on Russian territory.

Data from millions of Facebook users who used a popular personality app was left exposed online for anyone to access. Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions. It led to it being left vulnerable to access for four years & gaining access illicitly was relatively easy. The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. Facebook suspended myPersonality from its platform saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared. More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers.

A Las Vegas man called Spam King had faced federal fraud charges for allegedly luring Facebook users to third-party websites and collecting personal data for spam list. He used to trick people into revealing their login details which he then used to access half a million accounts and used this to send spam to other Facebook users. He also used to target the users with bogus "friend requests" for distributing spam.