Breach Brief – TikTok, Instagram, YouTube
An exposed database was found online that contained data for nearly 235 million users of TikTok, Instagram, and YouTube. The database contained personally identifiable information (PII), including names, contact information, images and statistics about followers. As matter of fact, according to security researcher Bob Diachenko, who leads Comparitech’s cybersecurity research team, three identical copies of the exposed data were found hosted at three separate IP addresses.
The information was believed to have been scraped form TikTok, Instagram and YouTube. Here is the breakdown;
- 96,714,241 records scraped from Instagram
- 95,678,713 records scraped from Instagram
- 42,129,799 records scraped from TikTok
- 3,955,892 records scraped from Youtube
These records contain the following information;
- Profile name
- Full real name
- Profile photo
- Account description
- Whether the profile belongs to a business or has advertisements
- Statistics about follower engagement, including:
- Number of followers
- Engagement rate
- Follower growth rate
- Audience gender
- Audience age
- Audience location
- Last post timestamp
Now here is where the story get just slightly twisted. Based on the evidence much of the data seems be the leftover remnants of a now defunct company called Deep Social. Based on this, Diachenko contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later. Remember that. Its important.
Now according to the report Facebook and Instagram banned Deep Social from their marketing APIs in 2018 and threatened legal action against the company if they continued to scrape data from their users’ profiles. Deep Social reduced its operations and eventually went under. According to Comparitech Social Data denies any connection between itself and Deep Social. If that is so then why did the Deep Social representative refer Diachenko to Social Data? And how was Social Data able to remove the database?
An email from Social Data to Diachenko stated; “Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private.” But remember, Social Data has no link to Deep Social. Go figure.