Instagram, TikTok and Youtube users' personal data exposed by social media company

Approximately 235 million accounts were exposed, with personal data including names and contact information left on an insecure database

Adam Smith
Thursday 20 August 2020 17:27
Comments

A company that sells social media data to marketers has left nearly 235 million Youtube, TikTok, and Instagram profiles exposed.

Social Data managed a database that was neither password-protected nor had any authentication methods, according to a report from Comparitech.

The data reportedly includes a information including names, contact information, personal information, images, and statistics about followers.

Comparitech also said it detailed information about those accounts, such as number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, and likes.

Security researcher Bob Diachenko, who had previously contributed to uncovering the ‘Meow’ hack, said he uncovered three identical copies of the exposed data at the start of the month.

According to Comparitech, the company responsible for the unsecured database was a now-shuttered firm called Deep Social. When informed of the breach by Comparitech, Deep Social forwarded the disclosure to Social Data.

The CTO of Social Data reportedly acknowledged the exposure, and took down the servers within three hours – but Social Data denies any connection between itself and Deep Social.

Facebook and Instagram banned Deep Social from their marketing APIs in 2018 for scraping data from user profiles. “Scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection”, a Facebook spokesperson said.

Speaking to Comparitech, a spokesperson for Social Data said to “note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access.

“I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database.

“Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private [sic]”, they continued.

Social Data launched in August 2019, is located in Hong Kong, and has apparently worked with companies including Samsung, Heineken, L’Oreal, Unilever, Walmart, Amazon, Disney, and Booking.com.

It is unclear how long the data had been exposed prior to 1 August, when it was detected, or whether it was accessed by malicious individuals. The Independent has reached out to Social Data for clarification.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in