Comparitech’s security research team announced today that nearly 235 million Instagram, TikTok, and YouTube user profiles have been posted online due to an insecure database in what can only be described as a massive data breach.
Recently, several accounts related reports have been posted on dark web cybercrime forums. The dark web audit shows that there are currently 15 billion stolen connections out of 100,000 breaches, and the hacker is giving away 386 million stolen records. Not all of this data has been hacked, at least not in the usual sense of the word: some, as was likely the case during the Utah gun swap incident, were exposed from an insecure database.
The unsecured database problem
Unsafe databases are fast becoming such a major privacy issue that a vigilant security researcher is believed to be behind the wave of “Meow” attacks that have destroyed the indexes of thousands of them. Database. And it’s such an insecure database that Comparitech researchers, led by Bob Diachenko, discovered on August 1, providing the personal profile data of nearly 235 million Instagram, TikTok, and YouTube users.
The data was distributed over several data sets; The largest are two, at just under 100 million each, and contain profile records that appear to come from Instagram. The third-largest was a data set of around 42 million TikTok users, followed by nearly 4 million YouTube user profiles.
Comparitech states that based on the samples collected, one in five records contained a phone number or email address. Each record also contained at least part, sometimes all of the following information:
Subscriber retention statistics, including:
Number of Followers
Subscriber growth rate
Number Of likes
The timestamp of the last post
“The information would probably be more valuable to spammers and cybercriminals conducting phishing campaigns,” says Paul Bischoff, editor-in-chief of Comparitech. “Although the data is publicly available, the fact that it is fully disclosed as a well-structured database makes it far more valuable than any profile would take on its own,” adds Bischoff. In fact, Bischoff told that it would be easy for a bot to use the database to post specific spam comments on any Instagram profile that matches criteria such as gender, age, or the number of subscribers.
Tracking the source of the disclosed data
Where does all this data come from? The researchers suggest that the evidence, including the names of the records, pointed to a company called Deep Social. However, Deep Social was banned from Facebook and Instagram in 2018 after user profile data was restored. The company was dissolved sometime later.
A spokesperson for the Facebook company told that “removing people’s information from Instagram is a serious violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any new collection. of data. “.
After the researchers found the database and found clues to its origin, “we sent a warning to Deep Social, assuming the data was theirs,” Bischoff explains. The directors of Deep Social then passed the disclosure on to a Hong Kong-registered social influencer data marketing company called Social Data. “Social Data closed the database about three hours after our first email,” says Bischoff.