Ever since the advent of social media, security experts have urged users to keep their profiles as private as possible. Not everyone listens to such statements, and the result is large-scale campaigns that affect tens of thousands of users. In this article, we have collected some striking examples.
In early 2023, Hyundai and Kia released free security patches for millions of their vehicles. The reason was a wave of auto theft, which was provoked by a viral flash mob in TikTok. Unscrupulous users, known as Kia Boyz, posted online training videos that allowed them to bypass the car's security system using a simple USB cable.
The root cause was a technical vulnerability in the software: many Hyundai and Kia 2015-2019 models do not have electronic immobilizers, and they could be started without the ignition key. However, it was social networks that played a crucial role: information that would have previously been a" professional secret " of hijackers quickly spread on the Internet, and videos using the exploit became a free training tool for criminals.
According to the National Highway Traffic Safety Administration, the so-called Kia Challenge was followed by hundreds of carjackings across the country, with at least 14 reported crashes and eight deaths. The emergency safety patch affected more than 8 million vehicles: 3.8 million Hyundai models and 4.5 million Kia models. Car owners had to deliver their cars to the dealership, where specialists fixed the problem in less than an hour. Upgraded cars also received a window sticker indicating that they were equipped with anti-theft technology.
Indeed, the vulnerability would remain in cars, even if social networks did not talk about it, and a flash mob even helped to draw attention to the problem. However, there are also examples of intentionally malicious social media activities under the guise of entertainment.
After some time, Checkmarx researchers found videos in social networks with links to apps that allegedly removed the filter, allowing you to see the original content. The campaign organizers launched a Discord server, where they posted several explicit videos, claiming that they received them using their own software. They described the program as a simple open source utility that could be downloaded from the GitHub repository. According to experts, the program included a malicious script that installs a Python package with a hidden styler inside. As a result, the malware gave criminals access to the victims ' devices.
A similar category includes popular " tests "like" Who would you be in the Harry Potter books "or"Aura Analysis by avatar". These apps require access to the user's social network profile, sometimes even full access. As a result, the user receives a post with some, usually meaningless text, and the creator of the "test" — valuable private data from the person's place of residence to their marital status and interests. This information can then be used for advertising purposes, including reselling to brokers.
Apps where users are asked to answer seemingly innocuous questions can be even more dangerous. However, when entering the name of the first pet or their favorite color, people often forget that this information can help answer a secret question, for example, when reissuing a plastic card or applying for a loan online.
Even if criminals don't aim to hack into a particular person's personal account, a mass flash mob allows them to collect big data about people's daily habits, for example, to understand which names are most often given to pets. Similar goals can be set by law-abiding organizations, owners of social networks that earn money from user data. Well-designed privacy policies often allow Internet companies to dispose of such information for almost any legitimate purpose. It is with this data mining that another extensive group of complaints about social networks is associated.
However, a few days later, the management hurried to completely disown the flash mob. The reason was suspicions about the real motives of the organizers of "10 years ago": are they trying to collect data for training neural networks and facial recognition systems for free?
All this happened against the background of questions to other technology giants that were developing smart video surveillance and image recognition projects. Back in 2018, Amazon shareholders protested against management's plans to give the US government access to the Rekognition AI system, which allows you to recognize objects and faces in photos. In January 2019, just as social media users were posting their old photos, a group of investors issued a demand to stop selling Rekognition until independent experts confirm that the system cannot be used to violate individual rights. Soon, representatives of a coalition of more than 85 groups that advocate for racial justice, faith, civil rights, human rights, and immigrant rights addressed similar demands to Microsoft, Amazon, and Google. The point is the same — to stop supplying facial recognition systems to government agencies so that they cannot be used against civil society.
For those who were not so concerned about basic rights and freedoms, experts offered to answer the question: why do free work for a corporation that will bring it huge profits? Yes, Facebook users already upload a huge amount of private content, including their photos. However, these images are very different from the data collected by the nostalgic flash mob: in the latter case, users guaranteed that the photos were taken by the same person, indicated the year or even month of the image, and provided other context that prepares the "raw" images for processing by the neural network.
Experts concluded that such a discussion in itself is a sign of the times: information literacy is growing, and it is becoming more difficult for corporations to dispose of user data as their own property.
Therefore, it is very important for companies to think through security policies in the context of social networks. And users should remember that their private data is of great value to both legitimate and illegitimate figures.
In early 2023, Hyundai and Kia released free security patches for millions of their vehicles. The reason was a wave of auto theft, which was provoked by a viral flash mob in TikTok. Unscrupulous users, known as Kia Boyz, posted online training videos that allowed them to bypass the car's security system using a simple USB cable.
The root cause was a technical vulnerability in the software: many Hyundai and Kia 2015-2019 models do not have electronic immobilizers, and they could be started without the ignition key. However, it was social networks that played a crucial role: information that would have previously been a" professional secret " of hijackers quickly spread on the Internet, and videos using the exploit became a free training tool for criminals.
According to the National Highway Traffic Safety Administration, the so-called Kia Challenge was followed by hundreds of carjackings across the country, with at least 14 reported crashes and eight deaths. The emergency safety patch affected more than 8 million vehicles: 3.8 million Hyundai models and 4.5 million Kia models. Car owners had to deliver their cars to the dealership, where specialists fixed the problem in less than an hour. Upgraded cars also received a window sticker indicating that they were equipped with anti-theft technology.
Indeed, the vulnerability would remain in cars, even if social networks did not talk about it, and a flash mob even helped to draw attention to the problem. However, there are also examples of intentionally malicious social media activities under the guise of entertainment.
Sex sells — and infects with malicious software
One of these examples is related to another TikTok flash mob-Invisible Challenge. The story began absolutely legitimately: users were asked to shoot themselves naked using a filter that replaced the body with a blurry image. When posts with tens of millions of views were published under the hashtag #invisiblefilter, cybercriminals became interested in the topic.After some time, Checkmarx researchers found videos in social networks with links to apps that allegedly removed the filter, allowing you to see the original content. The campaign organizers launched a Discord server, where they posted several explicit videos, claiming that they received them using their own software. They described the program as a simple open source utility that could be downloaded from the GitHub repository. According to experts, the program included a malicious script that installs a Python package with a hidden styler inside. As a result, the malware gave criminals access to the victims ' devices.
A similar category includes popular " tests "like" Who would you be in the Harry Potter books "or"Aura Analysis by avatar". These apps require access to the user's social network profile, sometimes even full access. As a result, the user receives a post with some, usually meaningless text, and the creator of the "test" — valuable private data from the person's place of residence to their marital status and interests. This information can then be used for advertising purposes, including reselling to brokers.
Apps where users are asked to answer seemingly innocuous questions can be even more dangerous. However, when entering the name of the first pet or their favorite color, people often forget that this information can help answer a secret question, for example, when reissuing a plastic card or applying for a loan online.
Even if criminals don't aim to hack into a particular person's personal account, a mass flash mob allows them to collect big data about people's daily habits, for example, to understand which names are most often given to pets. Similar goals can be set by law-abiding organizations, owners of social networks that earn money from user data. Well-designed privacy policies often allow Internet companies to dispose of such information for almost any legitimate purpose. It is with this data mining that another extensive group of complaints about social networks is associated.
People — new oil
In 2019, the flash mob "10 years ago" was popular on Facebook (banned in the Russian Federation): users shared their life successes by placing the first photo of their profile and some actual frame next to it. In just three days, the flash mob gathered millions of participants, and the social network administration claims that this popularity has grown organically, without additional promotion.However, a few days later, the management hurried to completely disown the flash mob. The reason was suspicions about the real motives of the organizers of "10 years ago": are they trying to collect data for training neural networks and facial recognition systems for free?
All this happened against the background of questions to other technology giants that were developing smart video surveillance and image recognition projects. Back in 2018, Amazon shareholders protested against management's plans to give the US government access to the Rekognition AI system, which allows you to recognize objects and faces in photos. In January 2019, just as social media users were posting their old photos, a group of investors issued a demand to stop selling Rekognition until independent experts confirm that the system cannot be used to violate individual rights. Soon, representatives of a coalition of more than 85 groups that advocate for racial justice, faith, civil rights, human rights, and immigrant rights addressed similar demands to Microsoft, Amazon, and Google. The point is the same — to stop supplying facial recognition systems to government agencies so that they cannot be used against civil society.
For those who were not so concerned about basic rights and freedoms, experts offered to answer the question: why do free work for a corporation that will bring it huge profits? Yes, Facebook users already upload a huge amount of private content, including their photos. However, these images are very different from the data collected by the nostalgic flash mob: in the latter case, users guaranteed that the photos were taken by the same person, indicated the year or even month of the image, and provided other context that prepares the "raw" images for processing by the neural network.
Experts concluded that such a discussion in itself is a sign of the times: information literacy is growing, and it is becoming more difficult for corporations to dispose of user data as their own property.
Social networks are not your personal space
The question of whether companies suffer from ill-considered actions of users in social networks is rhetorical: of course, there is a threat. More and more employees are accessing VK from their work computers, including for work purposes. Here they can reveal their credentials to fraudsters, infect a corporate device with malware, or get caught in phishing.Therefore, it is very important for companies to think through security policies in the context of social networks. And users should remember that their private data is of great value to both legitimate and illegitimate figures.
