235 Million Accounts of Instagram, TikTok, and YouTube Users Have Been Exposed
On August 1, Comparitech's security researchers found a database that held tons of personal information and was accessible from anywhere in the world without any form of authentication. Led by Bob Diachenko, the team analyzed the contents of the server and determined that it held just over 238 million records. Of them, 192 million belonged to Instagram users, about 42 million had been taken from popular video-sharing platform TikTok, and just under 4 million contained information related to YouTube accounts.
The records weren't uniform in the information they exposed. Only about a fifth of them, for example, contained either a phone number or an email address. No passwords were exposed, though quite a lot of other information was left for the taking. It included profile names, real names, profile photos, the users' age, gender, as well as a wide array of statistics on their engagement with social media and other people. Having learned what sort of data got exposed, Diachenko's next job was to figure out how it ended up in the leaky databases.
Instagram, TikTok, and YouTube weren't hacked
Social media users among you will be relieved to learn that the leak wasn't the result of coordinated cyberattacks against Instagram, TikTok, and YouTube. In fact, the leaked data wasn't stolen in the full sense of the word. It had been made publicly available by the account owners themselves, and it was scraped and organized by an automated script.
Initially, Diachenko was pretty sure that the databases belonged to Deep Social, a now-defunct analytics company that used to work in the field of influencer marketing. A couple of years ago, Deep Social was bragging about a large client base and collaborations with major companies. In the summer of 2018, however, Facebook told Deep Social that it was no longer allowed to use the social media's API due to an infringement of the terms of service. Shortly thereafter, the analytics company folded.
Nevertheless, Diachenko managed to contact a person involved with Deep Social and disclosed the leak. He was told that his email had been forwarded to another influencer marketing company by the name of Social Data. Social Data took the server down just hours after its discovery, and a spokesperson got in touch with Comparitech to apologize about the leak and point out that Social Data has nothing in common with Deep Social. The presence of "deepsocial" in the names of Social Data's databases and the similarities between the About Us pages on the two companies' websites remained unexplained.
Why was the leak bad?
You might think that the leak isn't so bad. After all, as Social Data's spokesperson was only too happy to emphasize, the information collected in the database can be seen on the profile pages of the 238 million affected accounts. It's publicly available, and, at least in theory, the owners know that very well. All Social Data has done is scrape it and collect it in a well-organized database. This, mind you, is pretty much the same thing Deep Social was doing up until Facebook gave it a slap on the wrist.
Cybercriminals who want to launch targeted phishing campaigns against social media users can benefit enormously from a well-organized database that's furnished with the users' data. Data scraping is the process that creates these huge datasets, and that's why social media giants like Facebook don't tolerate it. What's even worse, as Social Data demonstrated, sometimes, these databases aren't stored securely, and this makes the crooks' lives a whole lot easier.
Unfortunately, this incident is a very good illustration of how little control users have over what happens with their data once it's on their social media profile. That's why, you should probably be more careful with the personal details you share on these platforms. If you use Instagram, TikTok, or YouTube, you should also bear in mind that it's not yet clear if anyone accessed the leaked data before it was taken down. You might want to be on the lookout for any suspicious emails or messages.