Youtube, TikTok and Instagram Exposed in 223 Million Account Data Breach

In data breach news, this month saw a database of almost 235 million social media profiles exposed on the internet from such recognisable platforms as Youtube, Instagram and TikTok.

The research undertaken has identified that information breached could open users up to phishing and impersonation scamming as well as unwarranted email usage.

On August 1st, three copies of data on servers were discovered to be controlled by Social Data, a Hong Kong based company that sells data to marketers of social media influencers. According to investigation of the database, it was initially owned by another company since dissolved called Deep Social. It is under assumption that the data was collected by way of web scraping tactics which allows bots to crawl pages collecting user data.

Upon discovery of the data, Deep Social was contacted who then forwarded information onto Social Data who acknowledged the breach whilst claiming no ties to Deep Social. The servers hosting the data were immediately shut down, however the amount of data exposed in each record included a comprehensive list of information ranging from profile pictures, names, likes and account descriptions to statistics about numbers of followers and engagement rates. Approximately ⅕ of the profiles accessed had exposed email and phone numbers also.

It was addressed that anybody with internet connections could access the data freely, however it is not known how long the data was exposed or who had accessed it.

The main concerns among investigators is that the data is being utilised for targeted phishing schemes, scamming and impersonation reasons. Images are also considered to be targeted for face recognition purposes.

In an email provided by Social Data to cybersecurity house Comparitech, a spokesperson stated;

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private.”

Thankfully passwords for individual accounts were not accessible through the data breach, however email accounts were included and it is advised to keep an eye on security and usage. It has been recommended that users limit what information they share online as well as implement a two-factor authentication to their online platforms as necessary in order to better understand how to protect data online.