Social media platforms Instagram, TikTok and YouTube have suffered a large-scale data breach, affecting nearly 235 million accounts.
Researchers at Comparitech discovered that several datasets, believed to belong to Social Data, a social media data company.
The databases contain data on around 100 million Instagram users, 42 million TikTok users and 4 million Youtube users.
According to Comparitech, the data included names, photos, user engagement statistics, age and gender. Around one in five records are thought to contain either a phone number or email address.
The databases were discovered by Comparitech on 1 August and it is not known whether they were accessed by other parties. They were taken down three hours after they had been disclosed.
Rather than being the result of a hack, the data was discovered on an unsecured database. This is when a customer of a data repositories accidentally leaves their database public rather than private, meaning it is not secured with a password and can be viewed by anyone.
The problem of unsecured databases has long persisted in the world of cybersecurity, with research by password manager NordPass estimating that over ten billion user credentials have been left exposed online.
“This incident further underscores the importance of investing in automated cloud security solutions, as many breaches are a result of misconfigurations of cloud services that are exploited by an attacker,” said Chris DeRamus, VP of technology, cloud security practice at Rapid7.
“Companies must employ security tools that are capable of detecting and remediating misconfigurations (such as databases left unsecured without a password) in real time, or better yet – preventing them from ever happening in the first place.”
Although this data is already publicly available, it could be used maliciously to carry out phishing, vishing or smishing attacks, or could be used to create fake imitation accounts.
Comparitech therefore advises Instagram, TikTok and Youtube users to be extra vigilant when it comes to potential scams or phishing attempts.
Comparitech has said that evidence suggests the data could be linked to Deep Social, a data scraping company that was banned by Facebook and Instagram in 2018 and has since shut down. According to researchers, datasets containing Instagram data were named accounts-deepsocial-90 and accounts-deepsocial-91.
Data scraping is when a computer program is used to extract data from different websites, in this case data from social media profiles. Data scraping is not permitted by Facebook, Instagram, TikTok, and Youtube, but it can often be difficult for social media platforms to determine when it is happening.
Social Data denies any connection between itself and Deep Social.
“Breaches like this fuel the attacks to people that open more doors to much more valuable data. Given the prevalence of work-from-home right now, its not surprising to see data like this circulating,” said Mark Bower, SVP data security specialist at comforte AG.
“Specific personal data enables more effective spearphishing to attack an enterprise with higher risk, higher value data. The bottom line here is enterprises need to be both protecting their own personal data to neutralise it from risk of theft and scraping, and ensuring employees don’t become the vector of exploits from attackers who quite literally have more socially exploitable data on them than the businesses they report to.”