223 Million YouTube, TikTok And Instagram Accounts Exposed In Massive Data Breach
According to Comparitech researchers, a database of nearly 235 million social media profiles from platforms such as Instagram, TikTok, and YouTube, was exposed on the internet. This could open users up to phishing and impersonation scams as well as unwanted email usage.
On August 1st, Bob Diachenko, a cybersecurity researcher at Comparitech, uncovered three copies of the data on servers ultimately controlled by Hong Kong- based Social Data. Social Data is a company that sells data of social media influencers to marketers. According to hints in the database, the data was initially owned by a company called Deep Social, which is now dissolved. It is assumed that this data was collected with web scraping tactics, whereby bots crawl pages looking for and collecting user data. When Diachenko discovered this data, he first reached out to contacts at Deep Social, who then forwarded the information onward to Social Data. The Chief Technical Officer at Social Data acknowledged the breach, though they claim no ties to Deep Social, and the servers hosting the data were subsequently shut down.
Each record in the exposed database(s) contained the following:
- Profile name
- Full real name
- Profile photo
- Account description
- Whether the profile belongs to a business or has advertisements
- Statistics about follower engagement, including:
- Number of followers
- Engagement rate
- Follower growth rate
- Audience gender
- Audience age
- Audience location
- Last post timestamp
- Approximately 1/5 of the records had an email or phone number.
It appears that anyone with an internet connection could access this data at any time. At present, it is unknown how long the data was exposed or who accessed it. The information included could be used for targeted phishing, scamming, and impersonation schemes. Also, as Comparitech states, “The images could also be used without the owners’ permission for face recognition purposes.”
As reported in Comparitech's posting, a spokesperson for Social Data told Diachenko in an email the following:
Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]
For a company who got caught with their pants down with respect to data, it seems a little seedy to hand wave away the accessibility of a database containing user data. Though it is always good to change your password regularly, at least no passwords were found in this data. On the other hand, emails were included, and as such, one should keep an eye on email usage and security. Overall, users should always be wary of their online presence and only share what is necessary. Similarly, users should make sure that their passwords and accounts are secure by using password managers and two-factor authentication. Thankfully, this breach was not any worse than it already was.