Follow us:
  1. Home
  2. News
  3. Cybersecurity News

Nearly 235 million accounts on Instagram, TikTok, and YouTube exposed in data breach

Users' names, ages, and account details were left in an unprotected server

Photo (c) JuSun - Getty Images
If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at the doorstep of these platforms.

According to an incident brought to light by researchers at Comparitech, Hong Kong-based Social Data exposed a database of close to 235 million social media profiles by not setting a password restriction or any other authentication required to access it. The exposed data includes these items from personal profiles:

  • Profile and real full name, age, and gender

  • Profile photo

  • Whether the profile belongs to a business or has advertisements

  • Statistics about follower engagement, including: number of followers, engagement rate, follower growth rate, audience gender/age/location, and likes

  • Last post timestamp

Based on samples Comparitech collected, it says that about 20 percent of the records also contained either a phone number or email address.

Scraping all it can find

Social Data’s model is anything but consumer-friendly, but at least it’s honest about what it does. In its Terms of Service, it admits that it “scrapes” the data of influencers who “have a presence on the Internet having in excess of a certain amount of followers (decided by the marketer) on various social media platforms.” In other words, let’s say you have 1,523 followers on Instagram and a marketer is looking for people who have at least 1,000, you would be a prime candidate to be scraped.

Web scraping is an old-hat way of automating the copying of data from web pages in bulk. The cost of doing it is relatively inexpensive, and that appeals to marketing firms that can’t afford more aboveboard methods. Social Data swears that it only scrapes what is publicly accessible, but the practice violates Facebook, Instagram, TikTok, and Youtube terms of use. 

Deep Social was banned from Facebook and Instagram in 2018, but apparently it found a way to worm its way back in. Comparitech says that the wormhole likely came about because automated scraping bots can be difficult to distinguish from normal website visitors. Because of that, social media platforms have a hard time preventing them from accessing user profiles until it’s too late.

Social Data defends itself

A Social Data spokesperson told Comparitech security researcher Bob Diachenko in an email that the data was not “hacked” because it was collected in a legal way. 

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access,” the spokesperson said.

“I would appreciate it if you could ensure that this is made clear,” the spokesperson continued in their email to Diachenko. “Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”

Take an Identity Theft Quiz

Get matched with an Authorized Partner

    Share your comments