A database breach has exposed profile data for nearly 235 million users of TikTok, Instagram, and YouTube. The database contained personally identifiable information (PII), such as names, contact information, images and statistics about followers.
According to a Comparitech report, the database belongs to Social Data, a company that sells data on social media influencers to marketers.
Security researcher Bob Diachenko, who leads Comparitech’s cybersecurity research team, uncovered three identical copies of the exposed data on August 1 that were hosted at three separate IPv6 addresses, notes the report. In total, each one stored data on about 235 million social media profiles:
- 96,714,241 records scraped from Instagram
- 95,678,713 records scraped from Instagram
- 42,129,799 records scraped from TikTok
- 3,955,892 records scraped from Youtube
Each record contains some or all of the following info:
- Profile name
- Full real name
- Profile photo
- Account description
- Whether the profile belongs to a business or has advertisements
- Statistics about follower engagement, including:
- Number of followers
- Engagement rate
- Follower growth rate
- Audience gender
- Audience age
- Audience location
- Last post timestamp
"Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later," reports Comparitech.
According to the report, Facebook and Instagram banned Deep Social from their marketing APIs in 2018 and threatened legal action against it if it continued to scrape data from their users' profiles. Then, Deep Social announced it would be reducing its operations and has shut down since.
Social Data denies any connection between itself and Deep Social, says Comparitech.
A spokesperson from Social Data told Diachenko in an email, “Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”
Facebook company spokesperson Stephanie Otway told Comparitech in an email, “Scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection.”
For more information, please visit https://www.comparitech.com/blog/information-security/social-data-leak/