A security research team has revealed how an unsecured database led to a massive leak of TikTok, YouTube, and Instagram accounts.
New reports suggest these accounts have started appearing for sale on dark web forums. Dark web audits often reveal new database hacks before companies report them.
Remember the hack on a prominent Hollywood lawyer demanding a Bitcoin ransom? That hack turned up on the dark web well before it was publicly acknowledged.
Unsecured databases are a treasure trove of information for connecting the dots – it’s like discovering a treasure chest as a data hacker. Comparitech researchers found the personal profile data of over 235 million Instagram, TikTok, and YouTube users on August 1st in one such database.
The data included several separate datasets, each with millions of points of reference. Much of the information was scraped from Instagram. The third-largest dataset discovered by researchers was a database of 42 million TikTok users and 4 million YouTube profiles. Many of the profiles may have contained personally identifiable information such as phone numbers or email addresses.
Researchers say the massive data leak included fields like profile name, full real name, profile photo, and account description.
That information is all publicly available, which means that the dataset was scraped by a bot and compiled. Another dataset included stats about followers and engagement for those 235 million profiles.
“The information would probably be most valuable to spammers and cybercriminals running phishing campaigns,” Paul Bischoff, a Comparitech editor, says. “Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation,” he continues.
It would be relatively easy to create a bot to find other social media profiles of those in this database.
The data appears to be gathered by a company called Deep Social, which was banned by Facebook in 2018. Facebook says Deep Social was scraping profile information (hello massive data leak) against its privacy policies.
Bischoff says after alerting administrators of the defunct company, they forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company. According to Bischoff, Social Data shut down the database about three hours after receiving the disclosure. Social Data denies any connections to Deep Social.
Since the data is likely being used to engineer phishing attacks, users should be wary. TikTok, YouTube, and Instagram users could find themselves victims of an attack similar to the Twitter hack.