Instagram Company Cyber Security Posture

Description: A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

Description: Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook. It exposed the data belonging to millions of Facebook users. The Data Protection Commission is also imposing a range of corrective measures on Meta. On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

Description: Meta suffered a data privacy breach after dozens of employees and contractors — including Meta security guards revealed they were improperly accessing users’ accounts. The employees and contractors wrongly used Facebook’s internal mechanism for helping password-forgetting users reclaim their accounts. They even assisted third parties to fraudulently take control over Instagram accounts. The Meta fired the employees as soon as it got to know about the incident.

Description: Russian court fines social media company Facebook $63,000 over data law breach. Facebook failed to comply with a Russian data law. The Tagansky District Court in Moscow fined Facebook for its refusal to put its server holding data about Russian citizens on Russian territory.

Description: Facebook is charged with another fine. This time the social network is handing over CAD$9 million (US$6.5 million / £5.3 million) to Canada as part of a settlement. Facebook “made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger” and improperly shared data with third-party developers. Facebook gave the impression that users could control who could see and access their personal information on the Facebook platform when using privacy features. Facebook also allowed certain third-party developers to access the personal information of users’ friends after they installed certain third-party applications.

Description: Facebook disclosed that 87 million users far more than the 50 million people who first believed have been impacted by the Cambridge Analytica issue. Mike Schroepfer, the chief technology officer of Facebook, offered further information about the matter, including updated estimates of the total number of users impacted. Additionally, the CTO described how Facebook gives its users new privacy tools. Following the Cambridge Analytica scandal, Facebook removed several Russian accounts that were propagandised.

Description: Meta faced a significant privacy breach as the Texas attorney general accused it of capturing biometric data of millions of Texans without consent, utilising a facial recognition feature. Although no explicit data leakage was reported, the breach posed a reputational risk and raised concerns over personal data handling, resulting in a massive $1.4 billion settlement. This incident highlights the increasing scrutiny of tech giants regarding data privacy practices, and their potential financial and reputational impacts.

Description: Instagram is contending with a proliferation of AI-generated influencer accounts that are appropriating content from real models and creators, supplanting their faces with AI-created visages, and monetizing the reconstituted content. This practice, termed 'AI pimping,' undermines the livelihood of legitimate content creators like Elaina St James, whose monthly views have plummeted due to competition with these counterfeit entities. With 1,000+ AI-influenced accounts identified, the issue represents a significant shift in content dynamics on the platform, reflecting a move towards a blended unreality where AI-generated content could overshadow human creators, posing threats to both the creative industry and the authenticity of social media engagement.

Description: Meta's virtual reality headsets have been implicated in a potential security breach through the use of Big Mama VPN, a free VPN service that sells access to users' home internet connections. Teenagers have been using this VPN to cheat in the game Gorilla Tag by creating a delay to easily ‘tag’ opponents. However, the same service has been linked to cybercriminal activities, as it allows buyers to hide their online activities by piggybacking on the VR headset's IP address. While this tactic mainly targets individual users for in-game advantage, it has been associated with residential proxy services, which are popular among cybercriminals for conducting cyberattacks using proxy networks and botnets. This could lead to more significant privacy and security breaches for Meta's VR headset users.

Description: Meta is facing an issue where a company, Joy Timeline, has been advertising generative AI apps on its platforms that enable users to 'nudify' people without their consent. This has led to a lawsuit by Meta to prevent Joy Timeline from listing its ads. The ads violate Meta's platform safety and moderation policies and have been linked to an increase in blackmail and 'sextortion' schemes, often targeting women and female celebrities. The ads have been discovered across Meta's platforms, including Facebook, Messenger, Instagram, and Threads.

Description: A Las Vegas man called Spam King had faced federal fraud charges for allegedly luring Facebook users to third-party websites and collecting personal data for spam list. He used to trick people into revealing their login details which he then used to access half a million accounts and used this to send spam to other Facebook users. He also used to target the users with bogus "friend requests" for distributing spam.

Description: In Moldova, intrusive ad campaigns and disinformation operations targeting social media users have been deployed on platforms like Facebook and TikTok, leading to considerable political unrest. Earning at least $200,000 from these politically motivated ads, Meta's platforms have become conduits for a pro-Kremlin faction seeking to influence election outcomes and destabilize local governance, undermining societal trust and contributing to diplomatic tensions which can potentially threaten the nation's geopolitical affiliations and internal stability.

Description: Instagram faces an explosion of AI-generated influencer accounts using deepfake technology to steal videos from real models and monetize them. This trend undermines the platform's credibility and the income of authentic creators. Real models' views have plummeted, directly impacting their livelihoods. Instagram's lack of action against this widespread issue has industrialized AI exploitation, signaling a concerning shift towards AI dominance in social media content.

Description: Data from millions of Facebook users who used a popular personality app was left exposed online for anyone to access. Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions. It led to it being left vulnerable to access for four years & gaining access illicitly was relatively easy. The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. Facebook suspended myPersonality from its platform saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared. More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers.

Description: A threat actor published the phone numbers and account details of about 533 million Facebook users. The leaked data included information that users posted on their profiles including Facebook ID numbers, profile names, email addresses, location information, gender details, and job data. The database also contained phone numbers for all users, information that is not always public for most profiles.

Description: The bug was found on WhatsApp's platform. Phone numbers of crores of users have been published on Google. Mobile numbers of 29,000 to 30,000 users were appearing in text format on Google due to the bug.

Description: Meta suffered a data privacy breach that exposed 100 of million phone numbers linked to Facebook accounts that have been found online. The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account, which can be easily used to discern an account’s username.

Description: The names and profile pictures of users who were a part of certain groups, according to Facebook Inc., were shared privately by users within some groups on its main social network. Which users shared posts or left comments inside a group could be seen by a programme that enables information sharing between Facebook and outside developers. Access to the material has reportedly been withdrawn or restricted, according to the organisation. A recent examination by the corporation revealed that this additional information was also being distributed.

Description: Facebook suffered from a data breach incident that exposed over 267 million Facebook users' information. The compromised information includes names, phone numbers, and profiles. The database was available online without a password, exposing sensitive personal data to anyone who accessed it. It was unidentified exactly how the data had been accessed or what it was being used for. It was found that the data could be used for spam messaging and phishing campaigns and the company said they contacted the internet service provider that was hosting the database.

Description: The Irish Data Protection Commission (DPC) has fined Meta €265 million ($275.5 million) for the data leak that Facebook experienced in 2021 which exposed the data of millions of Facebook users. In a hacker forum, a user posted the phone numbers and personal information of 533 million Facebook users for free online. Alon Gal, the CTO of the cyber intelligence company Hudson Rock, broke the news about the data's accessibility first. After learning about the data loss, the Irish DPC immediately began looking into any GDPR violations by Meta. Threat actors used a vulnerability that was addressed in 2019 to scrape data from the social network to gather the data.

Description: In 2019, Meta faced a password storage lapse resulting in hundreds of millions of Facebook, Facebook Lite, and Instagram passwords being stored unprotected in plaintext on internal platforms. This lapse in data protection led to a substantial fine of €91 million by the Irish Data Protection Commission for violating the EU's General Data Protection Regulation. The exposure of such sensitive data posed a significant risk of abuse and unauthorized access to users' social media accounts, undermining user privacy and security.

Description: In the virtual reality game Gorilla Tag, a clever exploit involving a free VPN called Big Mama VPN has been uncovered. Teenagers have used the VPN to cheat by creating a lag to more easily 'tag' other players. What makes Big Mama VPN particularly concerning is that it also sells access to users' internet connections, allowing others to disguise their online activities using the VR headset's IP address. This has been linked to cybercriminal activity and has placed the users’ privacy and security at risk. However, in this scenario, there does not appear to be any actual data breach or cyberattack directly impacting Meta's systems or its users' personal data.

Description: WhatsApp experienced a sophisticated cyber attack exploiting a zero-day vulnerability, leading to the unauthorized deployment of Graphite spyware against journalists and civil society members. While the attack did not result in a client-side update, affecting approximately 90 users internationally, it demonstrates the significant risks associated with spyware operations. The incident triggered a server-side fix and raised concerns about the potential for misuse of advanced surveillance tools sold to governments, highlighting the challenge of regulating spyware use and ensuring the protection of fundamental rights and freedoms.

Description: Meta detected a high-severity security vulnerability in the FreeType font rendering library that has likely been exploited. The flaw, tracked as CVE-2025-27363 with a CVSS score of 8.1, enables remote code execution through manipulated TrueType GX and variable fonts. Versions up to 2.13.0 are affected, with the risk extending to various Linux distributions. Although a patch was issued two years prior, it remains unapplied in systems like Ubuntu 22.04, Debian, Amazon Linux 2, Alpine Linux, RHEL, and CentOS. Meta urges immediate updates to FreeType 2.13.3 to prevent further exploitation of this vulnerability.

Description: A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.

Description: Meta uncovered a medium-severity vulnerability in the WhatsApp application for Windows that could deceive users into executing malicious .exe files, misleadingly represented as innocuous images. The flaw exploited MIME type and filename extension mismatches to manipulate file representations within the chat. Although there was no recorded abuse of this flaw in the wild, Meta promptly addressed the issue through an update recommended for all users to mitigate potential exploitation that could compromise systems through social engineering tactics. The vulnerability, having been a potential vector for cyberattacks via widely circulated images within WhatsApp groups, posed a significant threat to user security.

Description: A researcher discovered a bug in the Meta AI chatbot that allowed unauthorized access to private user conversations. The bug was reported to Meta, which awarded the researcher a $10,000 bounty. The bug allowed anyone to view private prompts and responses by changing unique identification numbers, potentially exposing a host of users' conversations. Meta confirmed the fix and stated no evidence of abuse was found.