If you’re a YouTube, TikTok, or Instagram user, hold on to your personal data, folks, because a gargantuan leak of social media profiles has shown up at the doorstep of these platforms.
According to an incident brought to light by researchers at Comparitech, Hong Kong-based Social Data exposed a database of close to 235 million social media profiles by not setting a password restriction or any other authentication required to access it. The exposed data includes these items from personal profiles:
Profile and real full name, age, and gender
Whether the profile belongs to a business or has advertisements
Statistics about follower engagement, including: number of followers, engagement rate, follower growth rate, audience gender/age/location, and likes
Last post timestamp
Based on samples Comparitech collected, it says that about 20 percent of the records also contained either a phone number or email address.
Scraping all it can find
Social Data’s model is anything but consumer-friendly, but at least it’s honest about what it does. In its Terms of Service, it admits that it “scrapes” the data of influencers who “have a presence on the Internet having in excess of a certain amount of followers (decided by the marketer) on various social media platforms.” In other words, let’s say you have 1,523 followers on Instagram and a marketer is looking for people who have at least 1,000, you would be a prime candidate to be scraped.
Deep Social was banned from Facebook and Instagram in 2018, but apparently it found a way to worm its way back in. Comparitech says that the wormhole likely came about because automated scraping bots can be difficult to distinguish from normal website visitors. Because of that, social media platforms have a hard time preventing them from accessing user profiles until it’s too late.
Social Data defends itself
A Social Data spokesperson told Comparitech security researcher Bob Diachenko in an email that the data was not “hacked” because it was collected in a legal way.
“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access,” the spokesperson said.
“I would appreciate it if you could ensure that this is made clear,” the spokesperson continued in their email to Diachenko. “Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”