- CISO Guides
- 13 min read
Meta Platforms Inc. recently launched a new social media platform called ‘Threads’. As Meta CEO Mark Zuckerberg tries to muscle into Twitter’s control of the mini-blogging space, the data privacy and cyber security concerns associated with ‘Threads’ need to be addressed to keep individuals safe in both a personal and corporate setting.
On Wednesday July 5th, 2023, social media giant Meta (the parent organisation behind Instagram, Facebook, and WhatsApp) launched a brand-new social app called ‘Threads’. By Friday the 8th, just three days later, Zuckerberg announced the app had surpassed 70 million signups, stating this was ’way beyond [their] expectations’. By Monday the 10th, after launching in 100 countries, Threads had crossed 100 million signups. By hitting over 100 million users in less than five days, Threads has overtaken ChatGPT’s growth record of 100 million users in two months.
However, with any instance of rapid and exponential adoption of first-generation technologies, especially social media platforms, comes significant data privacy concerns and the threat of opportunistic cybercriminals.
Whilst it has been labelled as a Twitter alternative, there are a few significant differences between the two platforms, and many cyber risks rear their heads as a result.
We will run through the privacy concerns and cyber scams we have seen on the platform later in this piece … but to understand where these cyber issues stem from, let’s first build some foundational knowledge on why Threads is different to Twitter.
We do have to keep in mind that Threads is still an incredibly young social media platform and features are being added to the network as it grows and listens to users, as demonstrated when Zuckerberg responded to YouTube Tech influencer Marques Brownlee's request for bosses to listen to feedback and adjust timelines with a ‘thumbs up’ on Threads.
A major reason for Threads’ astronomical signup numbers is the app’s simple sign-up process, which prompts users to log into the app using their Instagram accounts. Threads then utilises the user’s Instagram data and profile to populate their new profile and generate follow lists.
One can also argue that Meta’s timely launch of Threads is in direct response to the uncertainty and tumultuous period that Elon Musk’s Twitter platform is experiencing. As the space-enthusiast billionaire debates and alters his social media platform’s name and branding, policies and financial pipeline, Meta has seized the opportunity to entice its competitor’s user base to a platform purporting to be remarkably similar.
What is pushing users away from Twitter? Twitter used to be the online town square that stimulating conversations used to call home, but it has turned into a playground for trolls and bots with a marked uptick in hate speech on the platform; slurs against Black Americans have increased by over 2,500 times a day, slurs against gay individuals have increased by over 1,000 times a day and antisemitic posts soared more than 61% in the two weeks after Twitter was sold to Musk in a $44 billion deal.
At the outset, Meta’s opportunistic grab for users appears to have worked, with Sensor Tower data revealing that Threads is currently the most downloaded free app in the United States on both the Apple App Store and Android’s Google Play Store. However, the numbers on the platform tell a different story; Threads has seen a nearly 70% decline in the number of daily active users and this user pullback could be attributed, at least in part, to the myriad of cyber security issues that have risen post-launch.
Social media and online privacy expert Mark Weinstein said: “If people are looking for an alternative to Twitter that respects their data privacy and right to civil discourse, they will have to keep searching.”
If Threads is so intrinsically linked to Facebook, Instagram and the whole Meta network of platforms, can we assume that its cyber security baseline is directly in line with its stablemates?
Threads running through Instagram and Meta could be seen as a positive, as Instagram and Meta have had several breaches they have learnt and built off from, which could inform Threads’ security network. Meta now employs a tonne of expertise to combat cyber security threats and has become increasingly paranoid about breaches and attacks. It simply must put a good foot forward with Threads.
On the other hand, one could argue a parent corporation with a history of significant cyber breaches does not exactly inspire confidence in the durability of a new platform.
Meta has a complicated cyber security history, but it is also highly informative of what to expect from Threads and whether the platform is something you or your organisation wants to be a part of.
Social media platforms will always host ongoing challenges and issues related to data privacy and security. This is why it is essential that individual users and employees are aware of how to leverage a platform’s privacy settings, and companies must disseminate up-to-date and comprehensive protocols for employees that use these platforms.
To be able to do this, we would need to know and analyse the threats we have already seen on Threads, so why don’t we do just that?
Security software developers Kaspersky and their experts have discovered several deceptive tactics being used by scammers to exploit the app’s growing user base. Many of these opportunistic scams involve the use of fake, dodgy ‘Threads’-like apps designed to trick unwitting users into handing over access to their accounts, personal data and even finances.
Kaspersky has seen fraudsters set up phishing pages that mimic a web version of Threads which deceives users into entering login credentials and confidential information.
Veriti, a security management platform, have noted an increase in suspicious domain lookalikes with more than 700 domains registered within five days of Threads’ launch. These domains include threads[.]ovh, threadsfollower[.]org, metathreads[.]social, threadsapp[.]shop and threadsinstagram[.]app. What are these domains pushing? An APK file download that pretends to be an official Android store application but is actually an unauthorised and infected file.
And, as we have mentioned already, Threads links directly to a user’s Instagram and, depending on their settings, may even contain links to their Facebook information as well. You see, if a scammer found a user’s Threads credentials, they could commandeer their other social media accounts and potentially dox them or damage them financially.
Nicolai Solling, CTO at cyber security firm Help AG, said the app not launching in Europe has exacerbated the fake Threads app issue in the continent. Solling said: “Some individuals within the EU have turned to unauthorised app stores as a means to gain access to the app, inadvertently putting themselves at risk.” For instance, this screenshot reveals ‘Threads for Insta’ as the Number 1 social networking app on the German App store, despite no official release of the application in the country.
Kaspersky Spain identified over 200 suspicious malware attacks on Threads within the first 24 hours of release. This involved sending new users malicious links and phishing messages.
We have also seen threat actors use a fictitious service called Threads Coin, claiming the coin offers enhanced opportunities in the Metaverse. Cybercriminals are tricking users into purchasing Threads Coins using actual Ethereum cryptocurrency, before delivering nothing and slinking away with a monetary win.
Lisa Ventura MBE, founder of Cyber Security Unity, told us: “Another main way that scammers could target users on Threads is by impersonating platform officials, moderators or popular figures within the community. They may try to exploit users by claiming to offer special privileges, promotions or exclusive content in exchange for personal information, payment or other deceptive means or actions.”
Crypto News has also revealed a considerable number of imposter Threads accounts popping up pretending to be associated with legitimate cryptocurrency enterprises. For instance, decentralised finance platform Wombex Finance had to warn followers that scammers were using their name and imagery to lure unsuspecting users into a scam.
We have seen similar impersonation tactics with LeonidasNFT and MachiBigBrother, very influential figures in the nonfungible token (NFT) community. Here, scammers are hoping that by taking control of a well-known individual or businesses name, they can disseminate malicious links and potentially access sensitive information, login credentials or even coax users into a financial disaster.
Another scheme that has been discovered involves the offer of follower generation for new users. An illegitimate website or email is used to offer an individual to opt in to 10,000, 25,000 or 50,000 followers. The user is asked to undergo a human verification process (building a false sense of legitimacy) that asks them to send an SMS or claim a prize through a payment. This is a clever two-pronged attack as the user could be tricked into handing over financial information if duped by a prize scam, or they could send an SMS and be used by the threat actor to spread the scam with multiple shares. Innovative and multi-layered social media attacks like this are complex in their creation and hope to overwhelm individuals.
Olga Svitsunova, security expert as Kaspersky said: “Scammers have mastered the art of capitalising on trendy topics, emphasising the importance of maintaining constant alertness. The prevalence of scams surrounding the popular Threads app serves as a stark reminder of the risks we face in the digital realm. From deceptive schemes to data collection tactics, these fraudsters spare no effort in compromising your personal and financial security.”
The prevalence of identity theft to start cryptocurrency scams and metaverse swindles on Threads is a sign that this platform, like most social media platforms, holds the same level of identity theft risk and doxxing – perhaps even more so.
Upon creating an account, Threads will ask for permission to collect data like health and fitness, finances, contact information, user images, browsing history, purchases, location, search history and ‘sensitive info’. ‘Sensitive info’ includes racial or ethnic data, sexual orientation, pregnancy information, disability, religious or philosophical beliefs, political opinion, genetic information and biometric data.
This means a data packet and profile will be created for new users that includes things like email addresses, date of birth, photos, interests, phone numbers, local locations, IP (Internet Protocol) addresses, mobile network information, who they like to interact with and even the groups they are connected to.
“It looks to me like it is a grab bag or a drift-net approach,” said Brett Caraway, Professor of Media Economics at the University of Toronto. Carraway added that “It has become ’standard repertoire’ for such companies to broker access to as much data as possible.” Sounds like a hacker’s dream, doesn’t it?
The Citizen states that hackers target budding platforms to take advantage of a naïve cyber security culture to easily trick users into a compromised or cloned portal. If credentials are entered, we could see massive amounts of personal and corporate details compromised via Threads – like we have seen on other social media platforms.
Lisa Ventura MBE, founder of Cyber Security Unity, told us: “Scammers will often adapt their tactics to exploit new platforms and technologies, and doing so on Threads will be no exception. This could be done via phishing with the use of notifications or messages that appear to come from Threads asking users for sensitive information like usernames, passwords, or financial details. Fake profiles or accounts like on other social media platforms could also be an issue, as they will pertain to be from legitimate users, influencers, or other customer support representatives to gain trust and manipulate users into sharing personal information or engage in fraudulent activities.”
According to research conducted by Top10VPN, Threads collects 45% more individual data points than Twitter. Brian Higgins, security specialist at Comparitech, concludes: "Threads is clearly a data-grabbing exercise and is totally at odds with multi-jurisdictional privacy frameworks."
Despite that, Alan Crowetz, CEO of IT (Information Technology) Support firm InfoStream, states that the threat level for Threads currently sits at 'medium' or 'yellow alert'. He said Threads having the ability to collect a lot of personal information such as location, finance and even health and fitness information is extremely alarming, but that as with 'any new source, treasure trove of data, [Threads] is just another area of vulnerability, another thing hackers are going after'.
Emphasising that Threads is prone to the same cyber risks associated with social media platforms like Facebook, Twitter, and Instagram will keep users and employees just as vigilant on the platform.
Jake Moore, Global Cyber Security Advisor at ESET, agrees with Crowetz’ sentiment, stating that if you have signed up to Instagram, Threads’ data privacy levels are no different: “If people are already invested in Instagram, I think the natural step of adopting Threads is a straightforward move at no extra cost to privacy.”
Digital marketing site Digiday has also highlighted that while Threads does not currently feature ads, the treasure trove of data will eventually be leveraged: “While there has not been any mention of monetisation or ads on the platform just yet, this is Meta after all. Chances are there will be ads on Threads soon.”
It is important to remember that, due to its infancy, we know extraordinarily little about what steps have been taken to create this platform. For instance, we know that the Threads app works in conjunction with third parties as it is mentioned in the terms and conditions. However, it is not disclosed who these third parties are. Alan Crowetz said: “Do we trust these third parties? What are they doing with this data?”
Should a third party, working with Threads, be attacked and breached, users’ data and online identities could very well be at risk. The threat potential is further compounded when you consider that a user’s Threads profile is linked to their Instagram, which could hold financial data, imagery and even voice samples that cybercriminals can exploit for nefarious purposes.
And, if we revisit Meta’s past, you will remember the massive ramifications of the Cambridge Analytica scandal in 2018 on a U.S Presidential election.
Meta is beholden to a regulatory landscape that encapsulates privacy and data protection laws. However, these vary from region to region.
In the past, as documented above, the company has faced regulatory actions relating to data privacy breaches, which have resulted in fines. Meta was recently ordered to halt data transfers from EU users to the US and fined over £1 billion for violating General Data Protection Regulation (GDPR) requirements. While this order specifically targeted Facebook, other Meta services that do not adequately protect European users' data could face similar scrutiny. Meta’s response has been to enhance its compliance protocols by hiring and installing privacy officers and setting up privacy oversight committees. This proactive approach to cyber security must be lauded but it is also contradicted by the launch of Threads.
When Threads launched it was clearly not fully formed. In fact, the platform has clearly been pushed out early to capitalise on the uncertainty at Twitter HQ and the recent trend of online users looking for Twitter alternatives. Not only is the platform half-baked as a social media product, it is also half-baked in a regulatory sense. Whilst you can download Threads in the US and UK, you will not be able to download it in the EU anytime soon.
Adam Mosseri, Instagram and Threads lead, lays the delay blame at the EU’s doorstep. The EU currently requires compliance with the Digital Markets Act (DMA), something Threads does not qualify for. The DMA requires onerous user protections and was passed in 2022. It protects user data from leakage between platforms and prevents companies like Meta from reusing a user’s personal data for targeted advertising across their products.
In the past, Meta has faced substantial fines in the EU for GDPR violations, and under the DMA, penalties can reach up to 10% of global annual turnover.
Rob D’Ovidio, cybercrime expert, says he has learnt a lot about Threads following its European delay. D’Ovidio, who is also an Associate Professor of Criminology and Justice Studies says: “The European Union countries are much more heavily regulated in favour of the consumer and protecting privacy. What that tells me is that there are some privacy concerns that we should look into.”
The US and UK do not have this data protective measure in place. However, the Federal Trade Commission (FTC) forbids ‘unfair or deceptive’ practices regarding handling users’ personal information. It is possible that the forced synergy between Instagram and Threads accounts violates this decree if the FTC determines that users of either service have lost adequate control of their data privacy.
When Threads eventually comes to the EU, will the European version be safer than the US and UK version? Will the US and UK version compensate and fall in line? In truth, what this tells us is that cyber security, user protection and data privacy are afterthoughts for Meta. The company’s main goal is user buy-in and network creation and in terms of cyber security, Meta would rather ask for forgiveness, than permission.
Brad Freeman, Director of Technology at SenseOn, subscribes to this very prediction: "Meta will enhance the security for Threads, but this takes time. Scammers and cyber criminals are highly innovative, and the controls implemented by Threads will be unfortunately learnt from the victims of successful scams."
Threads’ rocket-paced growth and monumental launch has triggered significant interest from users, advertisers and organisations, but has also generated serious privacy concerns over its data collection practices, its dependence on Instagram’s security policies and framework, and its absence in the EU due to stricter privacy and data protection laws.
“Several of the privacy concerns with Threads tie back to Meta’s history of concerning privacy practices,” said Calli Schroeder, Senior Counsel at the Electronic Privacy Information Center (Epic) and detailed above by us. Schroeder continues and nails the mindset we should all have with Meta and Threads now: “I have not seen any evidence that Meta is being transparent about what it will do with sensitive personal data or is clearly establishing why it is collecting that data other than ‘because we want to’.”
Whether you use it or not, understanding the cyber threats and risks present on the platform and on emerging social media platforms can better help inform your behaviours and how to safe online.
It has only been a couple of weeks since Threads’ inception and we are sure to see even more new attack vectors pop up. So, keep an ear to the ground and a bookmark on The Insider so you can stay up to date with detailed and helpful insights into the biggest cyber security news stories.
If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your organisation and how we help support security leaders in educating employees on emerging threats and safe use of social media ... please contact our Head of Business Development and Sales, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51