235 million profiles of Instagram, TikTok and YouTube users have leaked online following a massive database that was left unsecured online by Social Data. The Hong-Kong based Social Data provides data sets on influencers from various social media platforms to marketers. According to Comparitech researchers who have published a full report on the data breach, the leaked database contains names, contact details, personal information, pictures, detailed account insights and more such private data sets.
The technique used to collate such a large database is called web scraping wherein an automated script collects bulk data from website and web pages. These 235 million user profiles on Instagram, TikTok and YouTube are public which is why companies like Social Data can acquire all the personal information that users put out on their social media accounts.
The report details as many as 192,392,954 user profiles from Instagram, 42,129,799 profiles from TikTok and 3,955,892 user records from YouTube as part of the large data sets leaked online. Comparitech says, “We do not know how long the data was exposed for prior to our discovery of it on August 1. We also do not know whether any unauthorized parties accessed it during the exposure. Our honeypot experiments show that hackers can find and attack unsecured databases within hours of being exposed.”
After Comparitech reached out to Social Data to disclose the incident, the company acknowledged the exposed databases and took it down. Having said that, it is currently unknown as to for how long were these unsecured databases lying around and who might have accessed it in the time till it was taken offline.
The researches found out that the databases left unsecured by Social Data contained data sets from a now-defunct company, Deep Social. Interestingly, Deep Social was banned by Facebook in 2018 for using their APIs to scrape data from the user’s profile. Subsequently, Deep Social terminated its operations and Social Data has denied any connections between the two companies, both of them involved in data scraping of social media influencers.
As per Comparitech, the four databases contained details about user’s profile name, real name, profile picture, account insights like the number of followers, likes, the growth rate of followers, engagement rate, and other demographic data of the audience along with a timestamp of the last post. Moreover, around 20% of the samples collected by the researchers contained either the mobile number or email address.
These datasets can be used to target users with marketing and phishing campaigns, making many users accounts vulnerable to a “mass attack”. Meanwhile, the pictures collected from these accounts can be used for facial recognition systems and can also be used to create fake accounts.
While social media companies have often barred data scraping companies to operate on their platforms, the practice has not stopped data collecting firms from using a more modern approach and tools to collect data in bulk.
We recommend our readers to be on a lookout for any phishing or spam emails and malicious links that could provide further access to attackers. In fact, Google has removed 25 apps from the Play Store for phishing Facebook log-in details. You can read more about that here.