Instagram’s Threads platform launched to great fanfare in July with a massive surge of users signing up for the new text-sharing and public conversation service, including businesses using the service as an extension of existing social media and communications programs.
Many have seen it as an alternative to Elon Musk’s X — formerly Twitter — platform, which has been roiled by massive layoffs, changes that have infuriated some longtime users, and the appearance that Musk’s free speech mandate has given a renewed voice to white supremacists and other hate groups.
Instagram users log into Threads via their Instagram account and can post up to 500 characters as well as links, photos, and videos up to five minutes in length. Meta’s new social network is also considered a direct competitor to Slack, receiving over 10 million in site traffic in its first two weeks, with the app’s global website ranking skyrocketing from 545,741 to 5,813.
Demand for and intrigue about Instagram Threads is high. However, Threads is also already proving to be a target for fraud and abuse, with several potential security and compliance risks associated with its use for organizations.
Domain fraud and brand abuse
Research from CSC found 428 new domain registrations using the term “threads” between June 26 and July 27, 2023, many of which have some sort of affiliation to existing brands. This points to the need for organizations to monitor their domain activity to determine which registrations on Threads are authorized and authentic, and which are fraudulent and can put their brand at risk of abuse, CSC said. Possible brand infringements can include impersonation and hacks.
Veriti said it observed a surge in the creation of suspicious domains, with 700 domains related to threads being registered daily. These domains pose a significant risk as they can be used to deceive users, distribute malware, and lure unsuspecting individuals into downloading untrusted versions of the app.
“As with any new tool or technology, organizations should take the initiative to learn about its risks and consider the security measures needed before jumping right into more consistent use,” CSC said. In the case of online platforms like Threads, cybercriminals will try to beat you to the punch, so it is crucial for organizations to be aware of their entire domain landscape and take proactive steps to cut off exploits and infringements from the source at the time of registration, CSC wrote.
Malicious URLs and malware downloads
High-profile products draw keen interest from malicious actors, and Threads is no exception, Alexander Applegate, senior threat researcher at DNSFilter, tells CSO. “Threads attracted 100 million users in its first week, displacing ChatGPT to become the fastest application to achieve that mark. During that same week, researchers found 200 million suspicious URLs associated with the tool.”
While the threat is not one that is likely to make its way into the Apple Store’s walled garden, many of the links were false downloads for malware, Applegate says. “The remaining links were taking advantage of the low state of security review for the product and looking to capitalize on user trust to perpetrate scams and to deliver malware via posting on the platform.”
Unintentional and malicious data leakage/exposure
If employees use Threads for official communication or to share sensitive data, there is a risk that the data could be leaked unintentionally. “Even if they are using it for personal conversations, discussions about company projects, strategies, or internal gossip might slip out,” says Guenther.
Threads has a feature for sharing one’s location, and if used carelessly by an employee, it could reveal sensitive or strategic business location data. Likewise, content shared on Threads, like any cloud service, is stored in servers managed by the service provider. Even if encrypted, there’s always a concern about how this data could be used or who might gain access, Guenther adds.
What’s more, Instagram Direct (and by extension, Threads) doesn’t use end-to-end encryption for messages (like signal or WhatsApp) by default. “This means that the content of messages is potentially accessible by Instagram and anyone who can compromise Instagram’s systems,” Guenther says.
Shared credentials and account hijacking
Threads is very easy to both download and sign up for, as it integrates seamlessly with a user’s Instagram account when first signing up for the platform. However, this seamless integration could pose security risks, according to a blog from AgileBlue. Instagram, Facebook, and now Threads are all owned by Meta and for many users, each of their Meta accounts share the same login credentials between each of the platforms.
“This makes it much easier for malicious actors to access information as gaining access to just one account ultimately gives them access to all Meta accounts,” the blog said. In fact, as of writing, only users with an Instagram account can create a Threads account, so if an individual wants to sign up for Threads, they will first have to create an Instagram account.
“If an employee’s Threads account is compromised, malicious actors can impersonate the employee to gather information or spread misinformation within their close circle,” Guenther says.
Data privacy and compliance issues
Organizations that are required to maintain certain compliance standards might find it challenging if employees use personal apps such as Threads for work-related matters, Guenther says. The app is unavailable in areas with strict privacy laws, such as the European Union (EU). Countries in the EU are much more heavily regulated when it comes to protecting the privacy of the consumer, but regulatory scrutiny regarding Threads extends to the US and other countries.
“Meta, the parent company of Threads, remains under a consent decree imposed by the FTC in 2012, which prohibits ‘unfair or deceptive’ practices in handling user personal information. If the forced linking of Instagram and Threads accounts results in users losing adequate control over their data privacy or necessitates burdensome additional steps to ensure data security, it is possible that this could be deemed a violation of the FTC decree,” read AgileBlue’s posting.
This highlights the potential legal implications and the importance of ensuring users’ privacy rights are upheld in the context of using Threads, particularly given that Threads collects more user data than many other social media platforms today.
“The obvious initial concern is Meta’s historical track record with data privacy, and Threads is no exception. It demands access to all manners of personal data, including location-tracking information, social networking data, financial data, even when the application is not in use,” Applegate says.
Phishing and vulnerabilities
Any messaging platform can be used to deliver phishing messages and is susceptible to vulnerabilities. “Employees might receive malicious links or be manipulated into sharing sensitive information,” Guenther says. Undiscovered vulnerabilities (zero-days) might be exploited by attackers and, given that Threads is linked with Instagram, there’s a risk that vulnerabilities or data breaches in one app could potentially affect the other, she adds. Vulnerabilities could also be misused to exploit the permissions Threads asks for (like access to contacts and location) on a device.
Training, policies, and monitoring are key to secure use of Threads
To help ensure secure use of Threads within a business, Guenther recommends implementing a combination of employee training, policies, and monitoring. “Employees should be aware of the risks related to using personal messaging apps for professional purposes.
Policies should outline clear guidelines regarding the use of personal apps on work devices. Monitoring tools should detect unauthorized apps or activities.”
Two areas in which Threads shows security promise are the lack of a direct-message function, which should help to some extent with cyberbullying, and the absence of advertising, which removes the threat of malvertising and other ad-based scams, Applegate says. “The initial buzz also seems to have cooled significantly, and the platform has apparently lost about half of its subscribers since early June. With less users comes less interest from threat groups.”