FaceApp, Sephora hack: Your data could be in danger from third parties

Sheila Chiang
Lifestyle contributor
Data breach is getting common these days. (PHOTO: Getty Images)

SINGAPORE — Thanks to the so-called FaceApp Challenge, celebs (and everyone else) have been adding years to their visage with the app’s old-age filter and sharing the photos on Facebook. The app went viral in 2017, and amassed more than 80 million active users. The app uses artificial intelligence to create a rendering of what you might look like in a few decades on your iPhone or Android device.

But one tweet set off a minor internet panic this week, when a developer warned that the app could be taking all the photos from your phone and uploading them to its servers without any obvious permission from the user.

While the creator of the FaceApp assured that they only upload a photo selected by a user for editing and they never transfer any other images from the phone to the cloud, and most images are deleted from their servers within 48 hours from the upload date, this brings up again the question that many have been asking: Is our data safe in the hands of these apps, or anyone for the matter?


EU court rules sites must warn about Facebook 'like' button

Bruce Lee's Daughter Calls Portrayal of Her Father in 'Once Upon a Time in Hollywood' a 'Mockery'

Vogue cover: Who are the Duchess of Sussex's handpicked female trailblazers?

Just like any photo app, FaceApp does not request the right to save photos or access only the photos you explicitly present, but your photo library on the whole. Is it absolutely necessary?

Security breaches are happening more regularly nowadays. Some note-worthy examples are SingHealth and Facebook.

Last year Singapore suffered the worst cybersecurity attack when hackers broke into SingHealth’s IT systems to steal the data of 1.5 million patients and records of the outpatient medication given to Prime Minister Lee Hsien Loong.

In the same year, Facebook discovered an attack that exposed the personal details of 50 million accounts, including those of co-founder Mark Zuckerberg and chief operating officer Sheryl Sandberg.

And just on Monday (29 July), Sephora Southeast Asia released an email apologising that they discovered a breach in data related to some customers who have used their online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia and New Zealand.

Yahoo Lifestyle Singapore reached out to Sephora for their comments.

“We became aware of a potential incident over the last two weeks, concerning data related to some customers who have used our online services in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong SAR, Australia and New Zealand. We can confirm no credit card information was accessed and have no evidence that any personal data has been misused.

Protecting the safety of our customers’ information is of the utmost priority. We have engaged independent experts to conduct an investigation, thoroughly reviewed our security systems, and cancelled all existing passwords for customer accounts in the impacted database.” said a Sephora Southeast Asia spokesperson.

When asked how many consumers are affected from the database, the Sephora Southeast Asia spokesperson said, “Sephora customers outside of Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong SAR, Australia and New Zealand are not affected in any way by this incident. All our regional databases operate independently. This issue is limited to the database serving our Southeast Asia, Hong Kong SAR and Australia/New Zealand e-commerce customers.”

Top view of woman at wooden desk with credit card and laptop. (PHOTO: Getty Images)

Yahoo Lifestyle Singapore also contacted cybersecurity experts on their take regarding the Sephora breach.

Nabil Hannan, Managing Principal at Synopsys Software Integrity Group shared: “At first, the Sephora breach seems as mysterious as beauty products are to most men. Given how they found no major vulnerability (based on their efforts to find the vulnerability) doesn’t mean that data could not have been leaked. There are two things that immediately come to mind when reading the statement from Sephora’s managing director.

The first being that they say there is “no reason to believe that any personal data has been misused” – this is very hard to claim given they have made a statement that user data has been breached, including things like first and last name, date of birth and gender. It’s not possible to determine how this data may have been misused after the breach.

Another thing about this incident that stands out is the fact that they did a review of their software, but found no major vulnerability. Sometimes a vulnerability may not be required for a breach to occur. Organizations also need to consider that potential malicious insider threats may exist. For example, when looking at where the database was breached, it’s important to understand the threat model of the system, and determine things like who had access to the database and if they really needed to have access.

These types of breaches highlight the importance of conducting a holistic assessment of the full software ecosystem through threat modeling or architecture risk analysis to determine if there are flaws in how the software is designed that could be used maliciously by an insider to result in such a breach, even when there may not be any major security bug in the software components.”

Laurie Mercer, Sales Engineer, EMEA, HackerOne echoed this: “Sephora has responded very responsibly to this data breach, notifying customers and reviewing its security systems so customers can be confident in the company that is now doing the right thing by them.

However, while consumers do place trust in companies to keep their data secure, when they learn of a data breach like this, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected to avoid any nasty surprise years down the line. In a case like this, keeping vigilant for spam and phishing emails is going to be key after such a breach.

Breaches like this also drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something.”

Can we trust these parties to safeguard our data? The answer is a resounding no.

There is a need to prioritise cybersecurity. While the government introduces more initiatives to strengthen cybersecurity, we can adopt some ways ourselves in order to safeguard our accounts and data.

  1. Do not give your personal data freely without paying close attention to the terms and conditions.

  2. Practise good password management. Use a strong mix of characters, and do not use the same password for multiple sites. Do not share your password with others, do not write it down, and definitely do not write it on a post-it note attached to your monitor.

  3. Be cautious of public Wi-Fi. Free Wi-Fi access can be very appealing for business or leisure travelers but is also particularly vulnerable to security issues. Avoid unencrypted Wi-Fi networks. Be extra cautious using Internet cafes and free Wi-Fi hotspots; if you must use them, avoid accessing personal accounts or sensitive data while connected to that network.

  4. Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether it’s a friend’s phone, a public computer, or a cafe’s free WiFi—your data could be copied or stolen.

  5. Watch what you are sharing on social networks. Malicious individuals befriend you and easily gain access to a shocking amount of information—where you go to school, where you work, when you’re on vacation. They can use your geolocation information to track you down and stalk you. Or they can use it to collect even more personal data and release it publicly.