The ‘White FAANG’ Data Export Attack: Unveiling PII Threats

December 3, 2024

In the era of GDPR, users have the right to download all the data that websites store about them. While this promotes transparency and data portability, it also introduces significant risks. Cybersecurity firm CyberArk highlights the potential dangers of this new right to data portability. Previously, sensitive data was safeguarded in ultra-secure data centers. However, with the advent of cloud-based data retrieval, if hackers gain access to a user's account, they can steal all the stored data.

The potential for misuse is immense given the volume of data collected by websites today. Lior Yakim, a threat researcher at CyberArk Labs, calls this the 'White FAANG' attack, as the data vulnerable to export comes from major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG). "It's my legal right, and it's perfectly fine that I'm capable [of seeing] what information is being kept about me," says Yakim, but he also warns of the significant risk due to the ease of access to such intrusive information.

The largest technology companies store vast amounts of sensitive information, from personally identifying information (PII) to extensive records of online activity. The GDPR's data portability rules require companies to make all this information exportable in a machine-readable format. This raises the question: what's to prevent a hacker with access to your account from exporting all this data? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

With access to exported data, a hacker could potentially use your Google search history to blackmail you, your Meta GPS data to pinpoint your location, and your Apple calendar history to track your movements. There's also the risk to employers, as individual accounts can contain data that can be used to launch attacks against the companies they work for. For instance, with an Apple data export, a hacker could obtain the MAC address of an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access, and eavesdrop on corporate meetings.

CyberArk's survey of 14,000 employees revealed that approximately 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. This blurring of lines between personal and professional online activities increases the risk of work passwords being stored in less secure personal accounts, from which they can be exported. To mitigate such risks, Yakim emphasizes the need for employees to clearly separate their personal and corporate online activities. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

Related News

• Apple Fixes AirPods Bluetooth Security Flaw Allowing Unauthorized Access

Latest News

• BootKitty UEFI Malware Exploits LogoFAIL Flaw to Target Linux Systems
• Critical Authentication Flaw in ProjectSend Exploited by Hackers
• Russian Hacker 'Matrix' Builds Powerful DDoS Botnet Using Publicly Available Tools
• NachoVPN: New Attack Strategy Exploits VPN Vulnerabilities for Malicious Activities
• Russian APT 'RomCom' Exploits Zero-Day Vulnerabilities in Firefox, Tor