KUALA LUMPUR, Aug 21 — Cybersecurity researchers over at Comparitech have discovered a database breach that has exposed the profile data of almost 235 million user accounts on TikTok, Instagram, and YouTube.
The compromised information includes names, contact info such as emails and phone numbers, images, and follower statistics of affected accounts.
According to the report, the information was obtained from the servers of Social Data — a company that makes its living selling social media influencer data to marketing companies.
It’s important to understand Social Data does not hack/steal this data — instead, the information is procured using a process called “web-scraping”.
What is web-scraping?
Web-scraping is an automated process that’s used to retrieve information from websites — Facebook, Instagram, or TikTok, in this case.
The information that can be obtained by web-scraping is public in nature, although the legality of the technique falls within a grey area of sorts.
For one thing, data scraping is against the Facebook, Instagram, TikTok, and YouTube Terms of Use.
Deep Social — a now-defunct company — was the source of most of the data, although Social Data states that it is not affiliated with the company.
For some context, Deep Social was earlier banned from Facebook and Instagram’s marketing APIs due to web-scraping practices. A Facebook spokesperson, when speaking with Comparitech, explained:
“Scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection.”
However, Comparitech explains that such data-scraping bots can be difficult to detect by social media companies.
As such, data has been collected — and now breached — from almost 235 million accounts across the three platforms.
While Social Data’s servers have been taking down since, what’s worrying is that free access to the database was available on the web — no password, no authentication, nothing.
Affected information includes:
- Profile name
- Full real name
- Profile photo
- Account description
- Whether the profile belongs to a business or has advertisements
- Statistics about follower engagement, including:
- Number of followers
- Engagement rate
- Follower growth rate
- Audience gender
- Audience age
- Audience location
- Likes
- Last post timestamp
- Age
- Gender
While the information may have been publicly available, web-scraping is a process that divides opinions due to valid privacy and security concerns. Profile information can be used in spam campaigns — and, crucially, phishing methods that can be used to obtain information that is even more dangerous. Images may also be used for identity theft, or to spoof facial recognition safeguards.
For now, web-scraping continues to be a controversial topic — in a similar way that 3rd party cookies are, actually. It has its uses — take navigation apps as an example — but it can also compromise the privacy and security of social media accounts. To keep (most of) your data private, you can set your accounts to be “private” on various social media platforms, which means that only approved “followers” have access to personal information on your profile.
For the full report, click here. — SoyaCincau
