Data breaches and leaks are never fun — especially when they affect a platform you frequently use. Usually, the most dangerous targets are e-commerce due to the fact that they include payment information. But the other most difficult breaches to contain involve social media platforms — all the personal data they contain.
Breaches of popular social networks are thankfully quite rare, but they do happen. And when they do, it can spell disaster for millions of users. Tap or click here to see how hackers sold 267 million Facebook profiles on the Dark Web.
But if you’re a user of Instagram, TikTok or YouTube, you have a new reason to be alarmed. A defunct data broker left a database of nearly 235 million profiles from these platforms online without any kind of password or authentication to protect it. This means millions of profiles could now be in the hands of cybercriminals without their owners ever knowing.
A data disaster in the making
According to a new security report by Comparitech, a massive database containing nearly 235 million Instagram, YouTube and TikTok accounts was discovered online with no form of password or authentication.
This data was initially discovered by the data aggregator Social Data, who reported its findings to Comparitech. After doing some deep diving, Comparitech found that the database belonged to a defunct company known as Deep Social, which was banned from Facebook and Instagram back in 2018 for scraping data from user profiles.
And based on what we can see in the stolen data, it appears that Deep Social was quite busy gathering data. In the sample analyzed by Comparitech, the following number of records were documented from each platform:
- 96,714,241 records were scraped from Instagram
- 95,678,713 additional records were scraped from Instagram and stored separately
- 42,129,799 records were scraped from TikTok
- 3,955,892 records were scraped from YouTube
To make matters worse, the data contained in each record includes some or all of the following: Profile names, full real names, profile photos, account descriptions, engagement data, likes, age, gender, phone numbers, email addresses and whether or not the profiles in question are businesses or not.
Thankfully, no passwords were included in the leak, but that’s small comfort compared to the sheer volume of additional data that was gathered. Add in the fact that the information was left unsecured and you have a recipe for widespread phishing campaigns and cyberattacks.
After the findings were published, the database vanished. It appeared to be removed by its original owners, which means the window of opportunity to gather the scraped data has closed. If hackers want a piece of it, they’ll have to take a trip to the Dark Web and do some research.
Am I included in the breach? What can I do to protect myself?
If you use either TikTok, Instagram or YouTube, it’s unlikely that your accounts themselves are compromised. This is because no passwords were found in the leak, which means that anyone trying to break in would need to guess your password based on other information they have. Unfortunately, this is less difficult than it sounds.
In addition, the fact that reams of personal data are floating around means that victims are now more likely to be targeted by personalized phishing or ransomware attacks.
Sometimes, hackers will pretend they have access to your accounts by dangling personal information about you that they’ve gleaned from data breaches. They’ll use this information to give the impression that you’ve been hacked, and then trick you into actually paying them or giving up your data for real.
If you get any emails like this, ignore them! They’re probably scams.
If you signed up for any of these platforms, it’s still a good idea to check HaveIBeenPwned out of an abundance of caution. This frequently-updated website contains information on the web’s biggest data leaks and breaches and can inform you whether or not you’re included in one.
To see if your data is part of the leak, tap or click here to visit HaveIBeenPwned. On the home page, enter your email address to check if your account has been included in any recent breaches or leaks.
If you’ve been affected by this leak (or any, for that matter), you should immediately change your passwords. You should also consider setting up two-factor authentication for any at-risk accounts. Tap or click here to see how to activate 2FA.
It’s unlikely that data leaks like this will stop any time soon. Data is extremely valuable, which is why it’s collected on such a massive scale. But as this leak clearly shows, the only entity you can trust to treat your data with care is you. And if you’re keeping your privacy in check, you won’t have to worry about it falling into the wrong hands.