August 21, 2020
On August 1, security research firm Comparitech, led by Bob Diachenko, discovered a massive data leak of nearly 235 million Instagram, TikTok and YouTube user profiles. The leak was due to an unsecured database, which is quickly becoming a widespread cause of similar breaches. An audit of the dark web found about 15 billion stolen logins from 100,000 such unsecured database breaches. The data leak discovered by Diachenko and his team was spread across several datasets, including two of 100 million each of Instagram users.
Forbes reports that the third largest dataset was of about 42 million TikTok users, with another dataset of under 4 million YouTube profiles.
Comparitech reported that, “based on the samples it collected, one in five records contained either a telephone number or email address … [and] every record also included at least some, sometimes all, the following information: Profile name, Full real name, Profile photo, Account description, Statistics about follower engagement.”
“The information would probably be most valuable to spammers and cybercriminals running phishing campaigns,” said Comparitech editor Paul Bischoff. “Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation.”
Comparitech’s research pointed to Deep Social, a company banned by Instagram and Facebook in 2018 for data scraping, as the source of the data breach. After Comparitech sent an alert to Deep Social, that company “forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company called Social Data.”
According to Bischoff, Social Data, which denied any connection between itself and Deep Social, “shut down the database about three hours after our initial email.” Forbes noted that, “it should also be made clear that the data leaked, social media public profile data is available to anyone who visits the accounts of the users concerned … [but] the phishing risk is clearly amplified once such a hoard of profiles is collected together in a well-structured database.”
In its report, Comparitech said, “our honeypot experiments show that hackers can find and attack unsecured databases within hours of being exposed.”
Forbes reached out to Social Data, and its spokesperson stated that, “we collect data and enrich it with additional useful insights solely on behalf of our reputable customers, who use it strictly for the intended purposes … as soon as we learned of the incident, we fixed it immediately. We have since been closely working with the information security experts on auditing our security infrastructure and increasing the required levels of information security to avoid similar occurrences in the future.”