Meta Company CyberSecurity Posture

metacareers.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

Meta's mission is to build the future of human connection and the technology that makes it possible. Our technologies help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further empowered billions around the world. Now, Meta is moving beyond 2D screens toward immersive experiences like augmented and virtual reality to help build the next evolution in social technology. To help create a safe and respectful online space, we encourage constructive conversations on this page. Please note the following: • Start with an open mind. Whether you agree or disagree, engage with empathy. • Comments violating our Community Standards will be removed or hidden. Please treat everybody with respect. • Keep it constructive. Use your interactions here to learn about and grow your understanding of others. • Our moderators are here to uphold these guidelines for the benefit of everyone, every day. • If you are seeking support for issues related to your Facebook account, please reference our Help Center (https://www.facebook.com/help) or Help Community (https://www.facebook.com/help/community). For a full listing of our jobs, visit https://www.metacareers.com

Meta A.I CyberSecurity Scoring

Meta

Company Details

Linkedin ID:

meta

Website:

https://www.metacareers.com/

Employees number:

140,153

Number of followers:

11,513,481

NAICS:

5112

Industry Type:

Software Development

Homepage:

metacareers.com

IP Addresses:

291

Company ID:

MET_3105525

Scan Status:

In-progress

AI scoreMeta Risk Score (AI oriented)

Between 700 and 749

https://images.rankiteo.com/companyimages/meta.jpeg
Meta Software Development
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreMeta Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/meta.jpeg
Meta Software Development
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Meta

Moderate
Current Score
726
Ba (Moderate)
01000
24 incidents
-6.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

NOVEMBER 2025
728
Vulnerability
21 Nov 2025 • Meta (WhatsApp)
WhatsApp Contact Discovery Vulnerability Enabling Large-Scale Account Enumeration

A critical **vulnerability** in WhatsApp’s **contact discovery feature** was exposed by researchers at the University of Vienna, enabling attackers to perform **large-scale account enumeration** via brute-force queries. The flaw allowed adversaries to verify the existence of up to **3.5 billion WhatsApp accounts** by uploading massive lists of phone numbers and exploiting WhatsApp’s server responses to confirm active accounts. While Meta patched the issue, the vulnerability posed severe risks, including the creation of **targeted phishing databases**, **identity-based social engineering**, and **multi-platform fraud operations** by associating phone numbers with user metadata (e.g., profile photos, statuses).The attack leveraged WhatsApp’s **phone-number-based identity system**, which lacks privacy controls, making users—especially in regions with low cybersecurity awareness—vulnerable to **reverse enumeration**. Though no direct data breach or financial loss occurred, the flaw exposed systemic weaknesses in **secure identity management**, highlighting the trade-off between **user convenience** (contact syncing) and **privacy risks**. Meta’s response included rate-limiting and code fixes, but the incident underscores the need for **pseudonymous identifiers** (e.g., hashed numbers) and **zero-knowledge proofs** to prevent future exploitation.

728
high -0
MET5592555112125
Incident Details -
Type
Privacy Vulnerability Account Enumeration Brute-Force Attack
Attack Vector
Contact Discovery Feature Abuse Brute-Force Queries Metadata Exploitation
Vulnerability Exploited
Lack of rate-limiting or size restrictions on contact list uploads, enabling mass verification of phone numbers associated with WhatsApp accounts.
Motivation
Data Harvesting Targeted Phishing Preparation Identity-Based Social Engineering Fraud Enablement
Impact
Phone Numbers Account Existence Status Potential Profile Metadata (e.g., photos, statuses) WhatsApp Contact Discovery System Potential Erosion of User Trust in Privacy Protections Criticism of Phone Number–Based Identity Systems Elevated Risk Due to Phone Number Exposure
Response
University of Vienna Researchers (Disclosure) Codebase Patches to Restrict Contact Query Abuse Implemented Limits on Contact List Uploads Enhanced Rate-Limiting for Queries Public Acknowledgment of Vulnerability Technical Disclosure via Research Collaboration
Data Breach
Phone Number Existence Verification Potential Profile Metadata (if scraped) Number Of Records Exposed: Up to 3.5 billion (theoretical maximum) Moderate to High (Phone numbers linked to identities, potential for phishing) Phone Numbers
Lessons Learned
Phone number–based identity systems inherently lack privacy protections and are vulnerable to enumeration attacks. Convenience features (e.g., contact discovery) can introduce systemic privacy risks if not properly rate-limited or obfuscated. Messaging platforms must balance usability with security, particularly in regions with low cybersecurity awareness. Proactive collaboration with academic researchers can help identify and mitigate large-scale vulnerabilities before exploitation.
Recommendations
Implement **rate-limiting** and **size restrictions** on contact list uploads to prevent brute-force enumeration. Adopt **zero-knowledge proofs** or **private set intersection (PSI)** techniques for contact discovery to minimize metadata exposure. Transition from **raw phone number identifiers** to **hashed or pseudonymous identifiers** to reduce linkage risks. Educate users on the risks of **phone number–based authentication** and promote alternative identity management practices. Monitor for **dark web sales** of enumerated phone number databases to preempt phishing or fraud campaigns. Encourage enterprises to **minimize exposure of personal phone numbers** in professional contexts.
Investigation Status
Resolved (Vulnerability Patched)
Customer Advisories
No immediate action required for users, but heightened vigilance against phishing recommended. Users in high-risk regions (e.g., low cybersecurity awareness) should enable two-factor authentication.
Stakeholder Advisories
Users advised to be cautious of unsolicited messages, even from known platforms. Enterprises encouraged to review identity management practices and limit phone number exposure.
Post Incident Analysis
Lack of **rate-limiting** on contact discovery queries. Over-reliance on **phone numbers as opaque identifiers** without privacy controls. Design trade-off prioritizing **user convenience** over **security** in contact syncing features. Patched contact discovery mechanism to restrict query volumes. Exploring long-term shifts to **privacy-preserving identity management** (e.g., PSI, hashing). Enhanced monitoring for **anomalous contact upload patterns**.
References
Blog URL Source URL
NOVEMBER 2025
732
Vulnerability
20 Nov 2025 • Meta (WhatsApp)
Largest Data Leak in History: WhatsApp User Data Enumeration Exploit

Researchers in Austria exploited a long-standing vulnerability in **WhatsApp** to harvest personal data from over **3.5 billion users**, marking what is described as the **largest data leak in history**. The flaw stemmed from WhatsApp’s phone number lookup feature, which allows users to retrieve details (name, phone number, profile image) by inputting a contact’s number. By automating this process using a custom tool built on **Google’s libphonenumber**, the researchers generated **63 billion phone numbers** and scraped data at a rate of **100 million accounts per hour**.The attack exposed **user identities globally**, including phone numbers, names, and profile pictures—information that could be weaponized for **phishing, spam, or targeted scams**. WhatsApp’s lack of **rate-limiting or blocking mechanisms** enabled the mass enumeration without detection. While no financial or sensitive transactional data was compromised, the scale of the breach poses severe **privacy risks**, undermining trust in the platform’s security. The incident highlights systemic weaknesses in **user data protection** on one of the world’s most widely used messaging apps, with potential downstream effects on **reputation and regulatory scrutiny** for Meta.

726
critical -6
MET4532045112025
Incident Details -
Type
data breach privacy violation unauthorized data enumeration
Attack Vector
abuse of platform feature lack of rate limiting automated enumeration
Vulnerability Exploited
WhatsApp phone number lookup feature absence of effective rate limiting
Motivation
research purposes demonstration of vulnerability potential for malicious exploitation by third parties
Impact
phone numbers user names profile images (where available) WhatsApp user database potential erosion of user trust perception of weak privacy controls increased risk due to exposed phone numbers and associated metadata
Data Breach
phone numbers user names profile images Number Of Records Exposed: 3.5 billion+ moderate (personally identifiable information: phone numbers, names) yes (via automated enumeration) metadata (phone numbers, names) images (profile pictures) phone numbers names
Regulatory Compliance
potential violations of GDPR (EU) other global privacy laws (e.g., CCPA, LGPD)
Recommendations
Implement strict rate limiting on phone number lookup features Enhance monitoring for automated enumeration attempts Conduct privacy impact assessments for features enabling user data access Proactively notify affected users and regulators Review and strengthen API abuse protections
Post Incident Analysis
Lack of rate limiting on phone number lookup feature Insufficient protections against automated enumeration Over-reliance on user trust for feature abuse prevention
References
Blog URL Source URL
NOVEMBER 2025
733
Vulnerability
14 Nov 2025 • Meta
Critical Remote Code Execution (RCE) Vulnerabilities in AI Inference Server Frameworks

Cybersecurity researchers at Oligo Security discovered a series of critical **Remote Code Execution (RCE) vulnerabilities** in Meta’s AI inference server frameworks, stemming from insecure coding practices. The flaws originated from the unsafe use of **ZeroMQ (ZMQ)** and **Python’s pickle deserialization**, which were unknowingly propagated across multiple projects—including Meta’s—due to developers copying vulnerable code snippets verbatim between repositories.The vulnerabilities pose a severe risk, as they allow attackers to execute arbitrary code on AI servers, potentially compromising **sensitive training data, proprietary algorithms, or user interactions** processed by Meta’s AI systems. While no immediate breach or data theft has been confirmed, the exposure of such critical infrastructure could enable large-scale exploitation, including **supply-chain attacks, model poisoning, or unauthorized access to internal AI pipelines**. The systemic nature of the flaw—shared across major tech firms—heightens the risk of cascading security failures if left unpatched. Meta, alongside other affected organizations, is likely scrambling to deploy fixes, but the incident underscores the dangers of **code reuse without security vetting** in AI/ML ecosystems.

732
critical -1
MET2632026111425
Incident Details -
Type
Vulnerability Remote Code Execution (RCE)
Attack Vector
Unsafe deserialization (Python pickle) ZeroMQ (ZMQ) misuse
Vulnerability Exploited
CVE pending (ZeroMQ unsafe usage) CVE pending (Python pickle deserialization)
Impact
AI inference servers (Meta, Nvidia, Microsoft, vLLM, SGLang) Operational Impact: Potential unauthorized code execution on AI infrastructure Brand Reputation Impact: High (due to widespread vulnerability in critical AI frameworks)
Response
Oligo Security (research/disclosure)
Lessons Learned
Code reuse without security review can propagate vulnerabilities across ecosystems. Critical infrastructure (e.g., AI frameworks) requires stricter scrutiny of third-party dependencies and serialization practices.
Recommendations
Avoid unsafe deserialization (e.g., Python pickle) in production systems. Audit copied code for security flaws before integration. Implement secure alternatives to ZeroMQ or enforce strict input validation. Conduct regular security reviews of AI/ML infrastructure dependencies.
Investigation Status
['Ongoing (vulnerabilities disclosed, patches likely in development)']
Initial Access Broker
AI inference servers
Post Incident Analysis
Unsafe use of ZeroMQ (ZMQ) in AI frameworks Python pickle deserialization vulnerabilities Code copying between projects without security validation
References
Blog URL Source URL
OCTOBER 2025
736
Cyber Attack
13 Oct 2025 • Facebook (Meta)
Fake Settlement Claim Phishing Scams Targeting Facebook and AT&T Settlement Payouts

Facebook (Meta) faced a massive data breach leading to a **$725 million settlement** for compromised user data. Following the payout announcement, scammers exploited the situation by creating **fake settlement claim websites and phishing emails** to trick victims into divulging sensitive information—such as **Social Security numbers, banking details, and personal data**. These fraudulent schemes mimicked official settlement portals, leveraging urgency, fake trust badges, and deceptive URLs to harvest credentials. While the original breach itself involved unauthorized exposure of user records, the secondary attack—**phishing scams targeting settlement claimants**—expanded the impact by enabling identity theft, financial fraud, and further data exploitation. The incident highlights how breach settlements can become vectors for **follow-on cybercrime**, amplifying risks for affected individuals long after the initial incident.

730
high -6
MET4302043101425
Incident Details -
Type
Phishing Social Engineering Fraud
Attack Vector
Fake Emails Fake Websites Spoofed URLs AI-Generated Scam Sites
Vulnerability Exploited
Human Trust in Official-Looking Communications Lack of Public Awareness Generic Design of Legitimate Settlement Sites
Motivation
Financial Gain Identity Theft Data Harvesting for Dark Web Sales
Impact
Social Security Numbers (Full or Partial) Banking Information Personal Identifiable Information (PII) Reports of Fraudulent Settlement Claims Identity Theft Cases Erosion of Trust in Legitimate Settlement Processes Increased Skepticism Toward Official Communications Identity Theft Risk: High Payment Information Risk: High
Response
FTC IC3 CFPB Public Awareness Campaigns FTC Refunds Page Updates Reporting Mechanisms for Fake Sites Consumer Education on Red Flags Data Removal Services Recommendations Antivirus Software Promotion Media Coverage (e.g., Fox News) CyberGuy.com Advisories FTC Alerts Data Removal Services (e.g., CyberGuy.com Recommendations) Antivirus Software for Malicious Link Blocking
Data Breach
Social Security Numbers Banking Information Personal Identifiable Information (PII) Sensitivity Of Data: High Data Exfiltration: Likely (for Dark Web Sales) Full/Partial SSNs Bank Account Details Names Addresses
Regulatory Compliance
FTC Investigations into Fake Settlement Sites FTC Refunds Page (ftc.gov/enforcement/refunds) ClassAction.org
Lessons Learned
Scammers exploit high-profile settlements (e.g., Facebook, AT&T, Equifax) due to public awareness and urgency for payouts. Generic design of legitimate settlement sites makes them easy to spoof using AI tools (e.g., ChatGPT). Urgency tactics (e.g., countdowns, processing fees) are red flags for phishing scams. Official settlements never request full SSNs, banking details, or upfront payments. Cross-verification via FTC.gov or trusted sources is critical before submitting claims.
Recommendations
Always verify settlement sites via the **FTC Refunds Page (ftc.gov/enforcement/refunds)** or **ClassAction.org**. Avoid clicking links in emails/texts; manually enter URLs or use mailing addresses from official notices. Never provide full SSNs, banking details, or payment for 'processing fees' on settlement sites. Use **antivirus software** to block malicious links and phishing attempts (e.g., CyberGuy.com’s 2025 recommendations). Employ **data removal services** to reduce exposure of personal information on broker lists. Report fake sites to the **FTC (reportfraud.ftc.gov)**, **IC3 (ic3.gov)**, and **CFPB (consumerfinance.gov)**. Check for **spelling/grammar errors**, **odd URLs**, and **fake trust badges** on suspicious sites. Educate vulnerable groups (e.g., retirees) on **overpayment scams** and **fake debt collector tactics**.
Investigation Status
Ongoing (Public Awareness Phase)
Customer Advisories
Do not click links in unsolicited settlement emails/texts. Legitimate settlements will not ask for full SSNs or banking details upfront. Use mail-in forms if available to avoid phishing risks. Report suspicious sites to FTC, IC3, and CFPB immediately.
Stakeholder Advisories
Consumers advised to verify settlement claims via FTC.gov. Companies (e.g., Facebook, AT&T) urged to warn users about fake payout scams. Cybersecurity experts recommend antivirus and data removal services.
Initial Access Broker
Phishing Emails Fake Websites Social Media DMs SMS Messages Settlement Recipients’ PII Banking Information Data Sold On Dark Web: Likely (Stolen SSNs, Banking Data)
Post Incident Analysis
Lack of public awareness about settlement verification processes. Ease of spoofing generic settlement sites using AI tools. Exploitation of consumer urgency for payouts after high-profile breaches. Enhanced FTC outreach on verifying settlements. Promotion of antivirus and data removal services (e.g., CyberGuy.com). Stricter domain registration controls for settlement-related URLs. Collaboration between companies (e.g., Meta, AT&T) and law enforcement to takedown fake sites.
References
Blog URL Source URL
SEPTEMBER 2025
751
Breach
19 Sep 2025 • Meta
Improper Document Redaction Leading to Exposure of Sensitive Corporate Data via AI Scraping

During antitrust proceedings, Meta’s legal team failed to properly redact sensitive documents, leaving critical internal and competitor information exposed. The flawed PDF redaction allowed entire paragraphs—including Apple’s iMessage metrics, Snap’s TikTok threat assessments, and Meta’s strategic evaluations—to be recovered via simple copy-paste. The leak triggered public backlash, with Apple questioning Meta’s trustworthiness, Snap calling the handling 'egregious,' and Google citing a 'casual disregard' for confidentiality. The exposed data, worth millions in R&D and legal positioning, included proprietary business intelligence and competitor insights, damaging Meta’s reputation and regulatory standing. The incident highlighted systemic failures in document sanitization, metadata removal, and oversight, exacerbating risks in an era where AI can rapidly exploit such oversights.

734
critical -17
MET5792757091925
Incident Details -
Type
Data Leak Improper Redaction AI-Assisted Exposure
Attack Vector
Poor Document Handling Insufficient Redaction Metadata Exposure AI Scraping of Public Datasets
Vulnerability Exploited
Visual Redaction Without Data Removal Unsanitized Metadata Lack of Automated PII Detection Manual Redaction Errors
Motivation
Financial Gain (Credential Theft) Competitive Intelligence Reputational Damage Regulatory Exploitation
Impact
Windows Product Keys System Credentials Encryption Keys PII Corporate Strategy Documents (e.g., Meta’s antitrust filings) Loss of Trust from Partners (e.g., Apple, Snap, Google) Legal Scrutiny Increased Regulatory Risk Public Criticism from Competitors (e.g., Apple’s ‘trust’ concerns) Perception of ‘Casual Disregard’ for Confidentiality (Google) Egregious Handling Label (Snap) Potential GDPR/HIPAA/CPRA Violations Antitrust Proceedings Complications (Meta Case) Exposed PII in Resumes/Contracts
Response
Audit of Document Workflows Adoption of Permanent Redaction Tools Automated PII Detection (AI/NLP) Audit Trails for Accountability Validation Testing of Redacted Files Expert Insights Publication (TechRadar Pro) Industry Awareness Campaigns Monitoring of Public Datasets/Forums for Leaked Data
Data Breach
Product Keys System Credentials PII Corporate Strategy Documents Financial Data Legal Filings High (Encryption Keys, Competitive Intelligence) Medium (PII) Unintentional (via Public Document Scraping) None (Data Was Improperly Redacted) PDF Word Documents Legal Filings Potential (e.g., SSNs in Resumes/Contracts)
Regulatory Compliance
Potential: GDPR (EU), HIPAA (US Healthcare), CPRA (California) Antitrust Proceedings (Meta Case) Public Rebuke from Competitors (Apple, Snap, Google) Regulatory Scrutiny (Meta Antitrust Case)
Lessons Learned
Legacy redaction tools often fail to permanently remove data, leaving text layers and metadata recoverable. Manual redaction is error-prone and inconsistent; automation (AI/NLP) is critical for scaling sensitive data detection. AI models amplify the risk of exposed data by ingesting improperly sanitized public documents. Document workflows must include audit trails to track redaction actions and ensure compliance. Proactive validation (e.g., testing redacted files for recoverable data) is essential to prevent leaks.
Recommendations
Replace visual redaction with **permanent data removal** tools that eliminate text layers and metadata. Implement **automated PII/credential detection** (AI/NLP) across all document types (contracts, filings, memos). Establish **audit trails** for redaction processes to ensure accountability and regulatory compliance. Conduct **regular audits** of document workflows, mapping where sensitive data is shared or published. Test redacted files by attempting to recover hidden data; engage third-party auditors for validation. Treat privacy as a **competitive advantage**, not just a compliance requirement, to build trust with partners and customers. Monitor **public datasets and AI training sources** for exposed corporate data proactively.
Investigation Status
['Ongoing Industry Awareness (No Specific Incident Investigation Detailed)']
Stakeholder Advisories
Companies urged to audit document workflows and adopt permanent redaction practices.
Post Incident Analysis
Over-reliance on **visual redaction** (black boxes) instead of data removal. Lack of **automated tools** to detect PII/credentials in documents. Absence of **audit trails** to track redaction actions. **Metadata exposure** in shared files (e.g., revision histories, comments). AI models **ingesting improperly sanitized public documents**, enabling prompt-based extraction. Deploy **permanent redaction software** (e.g., Redactable). Integrate **AI/NLP-based PII detection** into document workflows. Implement **mandatory validation testing** for redacted files. Train employees on **secure document handling** and redaction best practices. Monitor **dark web/forums** for leaked credentials or proprietary data.
References
Blog URL Source URL
AUGUST 2025
748
JULY 2025
748
Vulnerability
17 Jul 2025 • Meta
Meta AI Chatbot Bug Allowed Unauthorized Access to Private Conversations

A researcher discovered a bug in the Meta AI chatbot that allowed unauthorized access to private user conversations. The bug was reported to Meta, which awarded the researcher a $10,000 bounty. The bug allowed anyone to view private prompts and responses by changing unique identification numbers, potentially exposing a host of users' conversations. Meta confirmed the fix and stated no evidence of abuse was found.

747
critical -1
MET608071825
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized Access
Vulnerability Exploited
Unique Identification Number Guessing
Motivation
Bug Bounty
Impact
Private prompts and responses Meta AI Chatbot
Response
Bug Fix
Data Breach
Private prompts and responses
Lessons Learned
Understand privacy settings and avoid sharing PII with AI tools.
Recommendations
Do not log in to social media platforms while using AI tools. Use 'Incognito Mode' when available. Do not share private information with AI. Familiarize yourself with privacy policies. Never share PII.
Investigation Status
['Resolved']
Post Incident Analysis
Root Causes: Lack of authorization checks on Meta's servers. Fixing the bug to prevent unauthorized access.
References
Blog URL Source URL
JUNE 2025
750
Vulnerability
16 Jun 2025 • Meta (WhatsApp)
Critical WhatsApp Metadata Exposure Vulnerability Affecting 3.5 Billion Users

A critical vulnerability in WhatsApp’s infrastructure exposed metadata of over **3.5 billion users globally**, including phone numbers, approximate locations, device types, OS details, account ages, and contact lists. Researchers at the University of Vienna demonstrated that the flaw allowed **unlimited unauthorized data requests**, enabling adversaries to correlate metadata into detailed user profiles across **245+ countries**. Particularly alarming was the exposure of users in **high-surveillance regions (China, Iran, Myanmar)**, where such leaks could trigger state-level tracking or repression. While Meta (Advisory 2025) claims no evidence of malicious exploitation, the breach’s scale and the **geopolitical sensitivity of the leaked data**—combined with the potential for **mass profiling, targeted phishing, or state-sponsored surveillance**—undermine trust in the platform’s privacy safeguards. The incident reignites debates on **global communication security** and the risks of centralized metadata repositories in messaging apps.

746
critical -4
MET1032410112025
Incident Details -
Type
data exposure metadata leak vulnerability exploitation
Attack Vector
unauthorized API/data request abuse lack of rate-limiting on metadata queries
Vulnerability Exploited
Unrestricted metadata access due to missing request throttling/validation on WhatsApp servers
Impact
metadata (phone numbers, locations, device/OS details, account ages) contact lists (associated phone numbers) WhatsApp servers user metadata databases Brand Reputation Impact: High (global scrutiny over privacy safeguards in major communication platforms) Identity Theft Risk: Moderate (metadata could enable targeted phishing or profiling)
Response
Incident Response Plan Activated: Yes (Meta Advisory 2025 issued) University of Vienna security researchers (disclosure) Vulnerability patched at root level (per Meta) Public advisory (Meta Advisory 2025) Media statements
Data Breach
metadata contact lists Number Of Records Exposed: 3.5 billion Sensitivity Of Data: Moderate to High (enables user profiling, targeted attacks, or surveillance) Data Exfiltration: Potential (researchers demonstrated proof-of-concept; no evidence of wild exploitation) phone numbers approximate locations device/OS identifiers
Lessons Learned
Critical importance of rate-limiting and request validation for metadata APIs; need for proactive vulnerability testing in global communication platforms with high-risk user bases (e.g., restricted-access countries).
Recommendations
Implement stricter API rate-limiting and anomaly detection for metadata queries. Conduct third-party red-team exercises to identify similar flaws. Enhance transparency in disclosing vulnerabilities affecting high-risk regions. Review metadata retention policies to minimize exposure risks.
Investigation Status
['Ongoing (no evidence of malicious exploitation per Meta; independent research suggests potential prior abuse)']
Stakeholder Advisories
Meta Advisory 2025
Post Incident Analysis
Lack of rate-limiting on metadata API endpoints Insufficient validation of data request volumes Vulnerability patch (per Meta) Potential review of metadata access controls
References
Blog URL Source URL
Vulnerability
16 Jun 2025 • Meta (WhatsApp)
WhatsApp Zero-Click Exploit Vulnerability (CVE-2025-55177) and Apple ImageIO Flaw (CVE-2025-43300)

Meta’s WhatsApp platform was exploited via a zero-click vulnerability (CVE-2025-55177) in its device synchronization process, combined with a flaw in Apple’s ImageIO framework (CVE-2025-43300). This allowed attackers to remotely execute malicious code on victims’ devices without any user interaction, such as clicking links or opening files. Amnesty International described the campaign as one of the most sophisticated spyware attacks recently, targeting fewer than 200 high-profile users. While patches were released (iOS: 2.25.21.73+, macOS/Business: 2.25.21.78+), the attack demonstrated the severe risk of zero-click exploits, which bypass traditional defenses like phishing filters.The incident exposed the vulnerability of widely used communication tools to advanced, targeted spyware, enabling silent data exfiltration or surveillance. WhatsApp warned affected users and advised factory resets alongside enabling security modes (Lockdown Mode for iOS, Advanced Protection for Android). Though no large-scale data breach was confirmed, the potential for unauthorized access to sensitive communications—including those of journalists, activists, or executives—posed significant reputational and operational risks. The attack underscored the necessity of rapid patching and layered security measures against evolving threats.

746
critical -4
MET2711727110425
Incident Details -
Type
zero-click exploit spyware attack vulnerability exploitation
Attack Vector
remote code execution (RCE) malicious URL processing device synchronization flaw Apple ImageIO framework vulnerability
Vulnerability Exploited
CVE-2025-55177 (WhatsApp linked device synchronization) CVE-2025-43300 (Apple ImageIO framework)
Motivation
espionage targeted surveillance
Impact
potential spyware installation unauthorized data access iOS devices (WhatsApp < 2.25.21.73) iOS devices (WhatsApp Business < 2.25.21.78) macOS devices (WhatsApp < 2.25.21.78) potential Android devices risk of undetected spyware persistence compromised device integrity eroded trust in WhatsApp security highlighted risks of zero-click exploits high (if spyware exfiltrated personal data)
Response
Amnesty International (research) Meta’s internal security team patch deployment (iOS/macOS updates) user warnings for factory resets security mode activations (Lockdown Mode/Advanced Protection Mode) vulnerability patching factory reset recommendations for affected users direct warnings to <200 users public advisory via TechCrunch general user alerts for updates recommendations for users to enable advanced security modes
Data Breach
potential spyware-collected data (e.g., messages, contacts, media) device metadata high (if spyware accessed private communications) likely (spyware purpose) potential (if spyware exfiltrated PII)
Lessons Learned
Zero-click exploits bypass traditional defenses (e.g., phishing awareness). Rapid patch deployment is critical for widely used platforms. Targeted spyware campaigns are increasingly sophisticated and stealthy. Cross-platform vulnerabilities (e.g., WhatsApp + Apple) amplify attack surfaces. User education on advanced security modes (e.g., Lockdown Mode) is essential.
Recommendations
Users should immediately update WhatsApp to patched versions (iOS 2.25.21.73+/macOS 2.25.21.78+). Enable Lockdown Mode (iOS) or Advanced Protection Mode (Android) for high-risk individuals. Perform factory resets if warned by WhatsApp. Organizations should prioritize zero-click exploit mitigation in threat models. Collaborate with researchers (e.g., Amnesty International) to detect advanced spyware campaigns.
Investigation Status
ongoing (initial focus on iOS/macOS; Android impact under investigation)
Customer Advisories
update WhatsApp immediately enable advanced security modes factory reset if notified
Stakeholder Advisories
Meta warned <200 users directly public advisories issued for broader awareness
Post Incident Analysis
Flaw in WhatsApp’s linked device synchronization process (CVE-2025-55177). Vulnerability in Apple’s ImageIO framework (CVE-2025-43300). Lack of user interaction requirements (zero-click). Deployed patches for iOS/macOS WhatsApp versions. Recommended security mode activations and factory resets. Enhanced collaboration with security researchers for threat detection.
References
Blog URL Source URL
Vulnerability
16 Jun 2025 • Meta Platforms (WhatsApp)
Zero-Day Vulnerability in Meta’s WhatsApp (CVE-2025-55177) Exploited in Targeted Attacks

A zero-day vulnerability (CVE-2025-55177) was discovered in WhatsApp’s linked-device synchronization feature, allowing unauthorized users to force a target device to process malicious content from arbitrary URLs. When combined with an Apple OS-level flaw (CVE-2025-43300), this could enable remote exploitation via image previews—bypassing user interaction. The NCC Group’s assessment further revealed risks in WhatsApp’s Message Summarization Service, including potential leakage of secret user data, reuse of outdated Trusted Execution Environment (TEE) images with known vulnerabilities, and full container access privileges for attackers. Exploitation could also compromise RA-TLS private keys, enabling attacker impersonation of secure containers. While Meta mitigated risks with layered defenses and runtime attestation, the vulnerabilities posed a high-risk vector for targeted attacks, data exfiltration, and unauthorized system access. CISA issued urgent advisories, recommending patching, network monitoring, and temporary avoidance of WhatsApp until fixes were deployed.

746
critical -4
MET2064520090625
Incident Details -
Type
Zero-day vulnerability Unauthorized data processing Targeted attack
Attack Vector
Linked-device synchronization messages Malicious image processing (via image IO library) Exploitation of OS-level vulnerability (CVE-2025-43300)
Vulnerability Exploited
CVE-2025-55177 (WhatsApp incomplete authorization) CVE-2025-43300 (Apple OS-level vulnerability) Outdated TEE image reuse Confidential Virtual Machine (CVM) exploitation
Motivation
Targeted surveillance Data exfiltration Privilege escalation
Impact
User data (potential leakage) RA-TLS private keys (risk of exposure) Container access privileges WhatsApp for iOS (prior to v2.25.21.73) WhatsApp Business for iOS (prior to v2.25.21.78) WhatsApp for Mac (prior to v2.25.21.78) Apple devices (via CVE-2025-43300) Risk of unauthorized container access Potential supplanting of CVM via RA-TLS keys Loss of user trust Erosion of trust in WhatsApp/Meta security Concerns over transparency and open-source verification Potential (via data exfiltration) RA-TLS key misuse
Response
NCC Group (security assessment) CISA (advisory) Security patches released (WhatsApp v2.25.21.73+) Disabling linked-device sync from unauthenticated endpoints CISA advisory to monitor outbound HTTP traffic Layered defense model (Meta) Runtime attestation of critical components Client-side enforcement for data consent Public security advisory (WhatsApp) CISA warning to organizations NCC Group report publication Monitoring for unusual outbound HTTP requests (CISA recommendation)
Data Breach
User data (potential) RA-TLS private keys (risk) Container access privileges Sensitivity Of Data: High (cryptographic keys, user messages) Potential (via CVM exploitation) Arbitrary URL content processing Image files (via malicious image IO exploitation) Synchronization messages Personally Identifiable Information: Potential (if user data leaked)
Regulatory Compliance
CISA advisory issued
Lessons Learned
Criticality of patching both application and OS-level vulnerabilities in tandem Risks of outdated TEE images and CVM exploitation in cloud services Importance of verifiable transparency (open-source code, reproducible builds) Need for runtime attestation and layered defenses in messaging platforms
Recommendations
Apply WhatsApp security patches immediately (v2.25.21.73+ for iOS, v2.25.21.78+ for Mac) Disable WhatsApp until secure version is confirmed (per CISA advisory) Monitor network traffic for unusual outbound HTTP requests from WhatsApp clients Enforce client-side consent for data egress Adopt open-source verification and reproducible builds for critical artifacts (per NCC Group) Patch Apple devices to mitigate CVE-2025-43300 Avoid automatic image loading in messaging apps until vulnerabilities are patched
Investigation Status
Ongoing (NCC Group assessment published; CISA advisory active)
Customer Advisories
Patch WhatsApp immediately Disable app if unable to patch Monitor for suspicious activity
Stakeholder Advisories
CISA warning to organizations WhatsApp user notifications (via app updates)
Initial Access Broker
Linked-device synchronization messages Malicious image files (via image IO exploit) High Value Targets: Specific individuals/organizations (targeted attacks)
Post Incident Analysis
Incomplete authorization in WhatsApp linked-device synchronization OS-level vulnerability (CVE-2025-43300) enabling chain exploitation Outdated TEE images with known vulnerabilities Automatic image loading without user interaction (image IO exploit) Released patches for WhatsApp (iOS/Mac) Enhanced runtime attestation for critical components Client-side enforcement for data consent CISA-recommended traffic monitoring for anomalies NCC Group’s call for open-source verification and reproducible builds
References
Blog URL Source URL
MAY 2025
748
APRIL 2025
747
Vulnerability
08 Apr 2025 • Meta
WhatsApp Vulnerability Allows Malicious .exe Files to Pose as Images

Meta uncovered a medium-severity vulnerability in the WhatsApp application for Windows that could deceive users into executing malicious .exe files, misleadingly represented as innocuous images. The flaw exploited MIME type and filename extension mismatches to manipulate file representations within the chat. Although there was no recorded abuse of this flaw in the wild, Meta promptly addressed the issue through an update recommended for all users to mitigate potential exploitation that could compromise systems through social engineering tactics. The vulnerability, having been a potential vector for cyberattacks via widely circulated images within WhatsApp groups, posed a significant threat to user security.

746
high -1
MET642040825
Incident Details -
Type
Vulnerability Exploit
Attack Vector
Social Engineering
Vulnerability Exploited
MIME type and filename extension mismatches
Impact
WhatsApp for Windows
Response
Software Update
References
Blog URL Source URL
MARCH 2025
747
Vulnerability
19 Mar 2025 • Meta
High-Severity Vulnerability in FreeType Font Rendering Library

Meta detected a high-severity security vulnerability in the FreeType font rendering library that has likely been exploited. The flaw, tracked as CVE-2025-27363 with a CVSS score of 8.1, enables remote code execution through manipulated TrueType GX and variable fonts. Versions up to 2.13.0 are affected, with the risk extending to various Linux distributions. Although a patch was issued two years prior, it remains unapplied in systems like Ubuntu 22.04, Debian, Amazon Linux 2, Alpine Linux, RHEL, and CentOS. Meta urges immediate updates to FreeType 2.13.3 to prevent further exploitation of this vulnerability.

746
critical -1
MET547032025
Incident Details -
Type
Vulnerability Exploitation
Attack Vector
Remote Code Execution
Vulnerability Exploited
CVE-2025-27363
Impact
Ubuntu 22.04 Debian Amazon Linux 2 Alpine Linux RHEL CentOS
Response
Update to FreeType 2.13.3
Recommendations
Update to FreeType 2.13.3
References
Blog URL Source URL
FEBRUARY 2025
745
JANUARY 2025
743
DECEMBER 2024
757
Breach
01 Dec 2024 • Meta
Meta VR Headset Security Breach via Big Mama VPN

Meta's virtual reality headsets have been implicated in a potential security breach through the use of Big Mama VPN, a free VPN service that sells access to users' home internet connections. Teenagers have been using this VPN to cheat in the game Gorilla Tag by creating a delay to easily ‘tag’ opponents. However, the same service has been linked to cybercriminal activities, as it allows buyers to hide their online activities by piggybacking on the VR headset's IP address. While this tactic mainly targets individual users for in-game advantage, it has been associated with residential proxy services, which are popular among cybercriminals for conducting cyberattacks using proxy networks and botnets. This could lead to more significant privacy and security breaches for Meta's VR headset users.

740
medium -17
MET000122024
Incident Details -
Type
Security Breach
Attack Vector
Big Mama VPN
Vulnerability Exploited
Home internet connection access via VPN
Motivation
In-game advantage Cybercriminal activities
Impact
Systems Affected: Meta VR Headsets
Initial Access Broker
Entry Point: Big Mama VPN High Value Targets: VR Headset Users
Post Incident Analysis
Root Causes: Use of Big Mama VPN
References
Blog URL Source URL
Vulnerability
01 Dec 2024 • Meta
Big Mama VPN Exploit in Gorilla Tag

In the virtual reality game Gorilla Tag, a clever exploit involving a free VPN called Big Mama VPN has been uncovered. Teenagers have used the VPN to cheat by creating a lag to more easily 'tag' other players. What makes Big Mama VPN particularly concerning is that it also sells access to users' internet connections, allowing others to disguise their online activities using the VR headset's IP address. This has been linked to cybercriminal activity and has placed the users’ privacy and security at risk. However, in this scenario, there does not appear to be any actual data breach or cyberattack directly impacting Meta's systems or its users' personal data.

740
low -17
MET000122124
Incident Details -
Type
Exploit
Attack Vector
Free VPN usage for cheating and selling access to internet connections
Motivation
Cheating in the game and financial gain from selling internet access
Impact
Brand Reputation Impact: Potential damage to Gorilla Tag's reputation
Initial Access Broker
Entry Point: Big Mama VPN
References
Blog URL Source URL
OCTOBER 2024
759
Cyber Attack
01 Oct 2024 • Meta
Intrusive Ad Campaigns and Disinformation Operations in Moldova

In Moldova, intrusive ad campaigns and disinformation operations targeting social media users have been deployed on platforms like Facebook and TikTok, leading to considerable political unrest. Earning at least $200,000 from these politically motivated ads, Meta's platforms have become conduits for a pro-Kremlin faction seeking to influence election outcomes and destabilize local governance, undermining societal trust and contributing to diplomatic tensions which can potentially threaten the nation's geopolitical affiliations and internal stability.

754
critical -5
MET000102024
Incident Details -
Type
Disinformation Campaign
Attack Vector
Social Media Ads Disinformation
Motivation
Political Influence
Impact
Facebook TikTok
References
Blog URL Source URL
AUGUST 2024
787
Breach
01 Aug 2024 • Meta
Meta Biometric Data Breach

Meta faced a significant privacy breach as the Texas attorney general accused it of capturing biometric data of millions of Texans without consent, utilising a facial recognition feature. Although no explicit data leakage was reported, the breach posed a reputational risk and raised concerns over personal data handling, resulting in a massive $1.4 billion settlement. This incident highlights the increasing scrutiny of tech giants regarding data privacy practices, and their potential financial and reputational impacts.

756
medium -31
MET000080424
Incident Details -
Type
Privacy Breach
Attack Vector
Facial Recognition Feature
Vulnerability Exploited
Unauthorized Biometric Data Collection
Motivation
Legal Enforcement
Impact
Financial Loss: $1.4 billion Data Compromised: Biometric Data Brand Reputation Impact: High Legal Liabilities: Significant
Data Breach
Type Of Data Compromised: Biometric Data Number Of Records Exposed: Millions Sensitivity Of Data: High
Regulatory Compliance
Fines Imposed: $1.4 billion Legal Actions: Settlement
Post Incident Analysis
Root Causes: Unauthorized Biometric Data Collection
References
Blog URL Source URL
JUNE 2023
776
Cyber Attack
16 Jun 2023 • Meta (WhatsApp)
WhatsApp Screen-Sharing Scam Exploiting Psychological Manipulation for Financial Theft and Data Breaches

A fast-spreading **screen-sharing scam** on WhatsApp exploited the platform’s screen-sharing feature (introduced in 2023) to deceive users into granting scammers remote access to their devices. The attackers posed as trusted entities (e.g., bank employees or Meta support agents), using psychological manipulation—trust, urgency, and panic—to trick victims into sharing screens or installing remote-access tools like **AnyDesk** or **TeamViewer**. Once access was granted, scammers stole **banking credentials, passwords, and one-time passwords (OTPs)**, leading to **massive financial losses globally**. A notable case in **Hong Kong** resulted in a victim losing **~$700,000 USD**.Meta responded by deploying **AI-powered real-time warnings** for unsaved contacts during screen-sharing attempts and dismantling **8 million scam-linked accounts** and **21,000 fake customer service pages** across high-risk regions (Myanmar, Cambodia, UAE, etc.). Despite mitigation efforts, the scam’s **widespread financial fraud**—targeting individuals via **phishing and social engineering**—highlighted vulnerabilities in user trust and platform security. The attack primarily compromised **personal financial data**, with no evidence of systemic infrastructure breaches or ransomware involvement.

770
high -6
MET5292052111325
Incident Details -
Type
social engineering phishing fraud data breach
Attack Vector
phone call (WhatsApp video call) psychological manipulation screen-sharing abuse remote-access tools (AnyDesk, TeamViewer)
Vulnerability Exploited
human trust/urgency bias WhatsApp screen-sharing feature (misuse) lack of user awareness
Motivation
financial gain identity theft account takeover
Impact
$700,000 (Hong Kong case) massive global losses (unspecified total) passwords banking details one-time passwords (OTPs) personal data WhatsApp accounts user devices (via remote-access tools) banking apps/websites widespread (evidenced by Reddit discussions) moderate (Meta proactively addressing issue) high (OTPs and banking details exposed) high (direct access to banking apps)
Response
ESET (research analysis) AI-powered real-time screen-sharing warnings for unsaved contacts removal of 8M scam-linked accounts takedown of 21K fake customer service pages user education campaigns enhanced account security prompts (e.g., Two-Step Verification) public advisories (Meta blog, ESET report) Reddit community warnings AI-driven scam detection
Data Breach
credentials financial data PII (via OTPs) Sensitivity Of Data: high
Lessons Learned
Psychological manipulation (trust/urgency) is as critical as technical vulnerabilities in scam success. Default trust in platform features (e.g., screen-sharing) can be weaponized. Proactive AI warnings can mitigate human-error risks but require user compliance.
Recommendations
Never share screens, passwords, or OTPs with unsolicited callers, even if they impersonate trusted entities. Enable Two-Step Verification on WhatsApp and other critical accounts. Verify suspicious claims via independent, trusted channels (e.g., official bank contacts). Educate vulnerable populations (e.g., elderly) on recognizing urgency-based scams. Platforms should expand AI warnings to include behavioral analysis (e.g., rapid screen-sharing requests).
Investigation Status
ongoing (Meta and ESET actively monitoring)
Customer Advisories
Avoid screen-sharing with unknown contacts. Use Two-Step Verification. Report suspicious WhatsApp accounts via the app.
Stakeholder Advisories
Meta’s public safety updates ESET’s threat analysis
Initial Access Broker
Entry Point: WhatsApp video call from unsaved number remote-access tools (AnyDesk, TeamViewer) banking credentials OTPs personal data
Post Incident Analysis
Over-reliance on user vigilance for feature misuse (screen-sharing). Lack of default restrictions on screen-sharing with unsaved contacts. Exploitation of human psychology (trust in authority figures, fear of loss). Meta’s AI warnings for unsaved-contact screen-sharing. Mass takedown of scam infrastructure (accounts/pages). Public awareness campaigns on psychological scam tactics.
References
Blog URL Source URL
NOVEMBER 2022
783
Breach
01 Nov 2022 • Meta
Meta Data Privacy Breach

Meta suffered a data privacy breach after dozens of employees and contractors — including Meta security guards revealed they were improperly accessing users’ accounts. The employees and contractors wrongly used Facebook’s internal mechanism for helping password-forgetting users reclaim their accounts. They even assisted third parties to fraudulently take control over Instagram accounts. The Meta fired the employees as soon as it got to know about the incident.

765
critical -18
MET1717151222
Incident Details -
Type
Data Privacy Breach
Attack Vector
Insider Threat
Vulnerability Exploited
Internal mechanism for helping password-forgetting users reclaim their accounts
Motivation
Unauthorized access to user accounts and assisting third parties
Impact
Data Compromised: User account data
Response
Remediation Measures: Firing of employees involved
Data Breach
Type Of Data Compromised: User account data
References
Blog URL Source URL
DECEMBER 2019
744
Data Leak
01 Dec 2019 • Meta
Facebook Data Breach

Facebook suffered from a data breach incident that exposed over 267 million Facebook users' information. The compromised information includes names, phone numbers, and profiles. The database was available online without a password, exposing sensitive personal data to anyone who accessed it. It was unidentified exactly how the data had been accessed or what it was being used for. It was found that the data could be used for spam messaging and phishing campaigns and the company said they contacted the internet service provider that was hosting the database.

720
medium -24
MET2298523
Incident Details -
Type
Data Breach
Motivation
Spam messaging Phishing campaigns
Impact
Names Phone numbers Profiles
Data Breach
Names Phone numbers Profiles
References
Blog URL Source URL
NOVEMBER 2019
759
Data Leak
01 Nov 2019 • Meta
Facebook Group Data Sharing Incident

The names and profile pictures of users who were a part of certain groups, according to Facebook Inc., were shared privately by users within some groups on its main social network. Which users shared posts or left comments inside a group could be seen by a programme that enables information sharing between Facebook and outside developers. Access to the material has reportedly been withdrawn or restricted, according to the organisation. A recent examination by the corporation revealed that this additional information was also being distributed.

742
medium -17
MET84930423
Incident Details -
Type
Data Breach
Attack Vector
Data Sharing Program
Vulnerability Exploited
Information Sharing Program
Impact
Names Profile Pictures Posts Comments
Response
Access Withdrawn or Restricted
Data Breach
Names Profile Pictures Posts Comments Names Profile Pictures
References
Blog URL Source URL
AUGUST 2019
778
Data Leak
01 Aug 2019 • Meta
Meta Data Privacy Breach

Meta suffered a data privacy breach that exposed 100 of million phone numbers linked to Facebook accounts that have been found online. The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account, which can be easily used to discern an account’s username.

754
critical -24
MET13011423
Incident Details -
Type
Data Breach
Attack Vector
Unprotected Server
Vulnerability Exploited
Unprotected Server
Impact
Phone numbers Facebook IDs
Data Breach
Phone numbers Facebook IDs
References
Blog URL Source URL
JUNE 2019
829
Breach
16 Jun 2019 • Facebook (Meta)
India's Evolving Data Privacy Landscape Under the Digital Personal Data Protection (DPDP) Act

The article references violations in the **US case against Facebook**, highlighting systemic failures in data protection. Allegations include **misleading privacy settings**, **indiscriminate sharing of user data with third parties without explicit consent**, and **failure to disclose data breaches** in a timely manner. These lapses eroded user trust and exposed sensitive personal data to unauthorized entities, violating core principles of **choice and consent**—a cornerstone of modern data privacy laws like India’s **DPDP Act**. The breaches led to **reputational damage**, **regulatory scrutiny**, and **potential financial penalties** (e.g., the $5 billion FTC fine in 2019 for similar violations). The incident underscores the risks of **poor governance**, **lack of transparency**, and **contractual liabilities** for processors handling user data, aligning with the article’s warning about cascading consequences for non-compliance in third-party ecosystems.

776
high -53
MET1832818101325
Incident Details -
Type
Regulatory Compliance Risk Data Protection Framework Contractual Liability Exposure
Motivation
Regulatory Non-Compliance Contractual Obligations Reputational Risk
Impact
Increased due diligence for processors Contractual penalties for breaches Scaling compliance challenges Loss of trust for non-compliant processors Differentiation for well-governed processors Contractual damages from fiduciaries Potential regulatory scrutiny (indirectly via fiduciaries)
Response
Cybersecurity consulting firms (e.g., EY India) Map personal data flows Implement encryption and access controls Define breach notification timelines (internal) Centralize compliance programs Stakeholder consultations by government Industry alignment directives
Data Breach
Recommended as a safeguard Potential risk if breaches occur
Regulatory Compliance
Potential violations of DPDP Act (2023) Up to ₹250 crore for fiduciaries; contractual penalties for processors Contractual disputes Damages claims from fiduciaries 72-hour breach notification to Data Protection Board (via fiduciaries)
Lessons Learned
Processors cannot assume insulation from liability despite lack of direct DPDP penalties. Proactive compliance reduces contractual and reputational risks. Centralized privacy programs improve scalability for multi-client engagements. Government prioritization signals urgency for systemic alignment.
Recommendations
Conduct data flow mapping to identify personal data handling. Adopt fiduciary-grade security controls (encryption, access management). Establish internal breach notification timelines (<72 hours). Align with fiduciary expectations via readiness assessments. Consolidate vendor relationships to reduce risk exposure. Voluntarily adopt DPDP-compliant governance frameworks.
Investigation Status
['Ongoing regulatory framework implementation']
Stakeholder Advisories
Government-directed system alignments Industry consultations
Post Incident Analysis
Lack of processor governance maturity Inadequate contractual safeguards for low-governance vendors Scaling challenges for well-governed processors Strengthen due diligence for third-party processors Implement centralized compliance frameworks Enhance breach response preparedness
References
Blog URL Source URL
Data Leak
16 Jun 2019 • Meta
Facebook Data Leak 2021

The Irish Data Protection Commission (DPC) has fined Meta €265 million ($275.5 million) for the data leak that Facebook experienced in 2021 which exposed the data of millions of Facebook users. In a hacker forum, a user posted the phone numbers and personal information of 533 million Facebook users for free online. Alon Gal, the CTO of the cyber intelligence company Hudson Rock, broke the news about the data's accessibility first. After learning about the data loss, the Irish DPC immediately began looking into any GDPR violations by Meta. Threat actors used a vulnerability that was addressed in 2019 to scrape data from the social network to gather the data.

776
critical -53
MET210151023
Incident Details -
Type
Data Breach
Attack Vector
Data Scraping
Vulnerability Exploited
Vulnerability addressed in 2019
Impact
Financial Loss: €265 million ($275.5 million) Data Compromised: Phone numbers and personal information
Data Breach
Phone numbers Personal information Number Of Records Exposed: 533 million
Regulatory Compliance
Regulations Violated: GDPR Fines Imposed: €265 million ($275.5 million)
References
Blog URL Source URL
Vulnerability
16 Jun 2019 • Meta
Meta Password Storage Lapse

In 2019, Meta faced a password storage lapse resulting in hundreds of millions of Facebook, Facebook Lite, and Instagram passwords being stored unprotected in plaintext on internal platforms. This lapse in data protection led to a substantial fine of €91 million by the Irish Data Protection Commission for violating the EU's General Data Protection Regulation. The exposure of such sensitive data posed a significant risk of abuse and unauthorized access to users' social media accounts, undermining user privacy and security.

776
critical -53
MET000092924
Incident Details -
Type
Data Breach
Attack Vector
Internal Data Handling
Vulnerability Exploited
Unprotected plaintext password storage
Impact
Financial Loss: €91 million fine Data Compromised: Passwords Systems Affected: Internal platforms Brand Reputation Impact: Undermining user privacy and security Legal Liabilities: Violation of EU's General Data Protection Regulation Identity Theft Risk: Significant risk of abuse and unauthorized access
Data Breach
Type Of Data Compromised: Passwords Number Of Records Exposed: Hundreds of millions Sensitivity Of Data: High
Regulatory Compliance
Regulations Violated: EU's General Data Protection Regulation Fines Imposed: €91 million
References
Blog URL Source URL
APRIL 2018
844
Breach
01 Apr 2018 • Meta
Cambridge Analytica Data Incident

Facebook disclosed that 87 million users far more than the 50 million people who first believed have been impacted by the Cambridge Analytica issue. Mike Schroepfer, the chief technology officer of Facebook, offered further information about the matter, including updated estimates of the total number of users impacted. Additionally, the CTO described how Facebook gives its users new privacy tools. Following the Cambridge Analytica scandal, Facebook removed several Russian accounts that were propagandised.

824
critical -20
MET34251223
Incident Details -
Type
Data Breach
Attack Vector
Third-Party App
Vulnerability Exploited
User Data Misuse
Motivation
Data Collection
Impact
Data Compromised: User Data
Response
Facebook removed several Russian accounts that were propagandised Facebook gives its users new privacy tools
Data Breach
Type Of Data Compromised: User Data Number Of Records Exposed: 87 million
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Meta is 726, which corresponds to a Moderate rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 736.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 751.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 748.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 748.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 750.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 748.

According to Rankiteo, the A.I. Rankiteo Cyber Score for April 2025 was 747.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2025 was 747.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2025 was 745.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2025 was 743.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2024 was 740.

Over the past 12 months, the average per-incident point impact on Meta’s A.I Rankiteo Cyber Score has been -6.0 points.

You can access Meta’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/meta.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Meta’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/meta.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.