Instagram, TikTok and Youtube users' personal data exposed by social media company

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

A company that sells social media data to marketers has left nearly 235 million Youtube, TikTok, and Instagram profiles exposed.

Social Data managed a database that was neither password-protected nor had any authentication methods, according to a report from Comparitech.

The data reportedly includes a information including names, contact information, personal information, images, and statistics about followers.

Comparitech also said it detailed information about those accounts, such as number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, and likes.

Security researcher Bob Diachenko, who had previously contributed to uncovering the ‘Meow’ hack, said he uncovered three identical copies of the exposed data at the start of the month.

According to Comparitech, the company responsible for the unsecured database was a now-shuttered firm called Deep Social. When informed of the breach by Comparitech, Deep Social forwarded the disclosure to Social Data.

The CTO of Social Data reportedly acknowledged the exposure, and took down the servers within three hours – but Social Data denies any connection between itself and Deep Social.

Facebook and Instagram banned Deep Social from their marketing APIs in 2018 for scraping data from user profiles. “Scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection”, a Facebook spokesperson said.

Speaking to Comparitech, a spokesperson for Social Data said to “note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access.

“I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database.

“Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private [sic]”, they continued.

Social Data launched in August 2019, is located in Hong Kong, and has apparently worked with companies including Samsung, Heineken, L’Oreal, Unilever, Walmart, Amazon, Disney, and Booking.com.

It is unclear how long the data had been exposed prior to 1 August, when it was detected, or whether it was accessed by malicious individuals. The Independent has reached out to Social Data for clarification.