A database with information from more than 235 million Instagram, YouTube and TikTok users was exposed on the internet for a few days, without any protection. The alert was given yesterday (19) by Comparitech, the security company responsible for discovering the flaw, which has already been fixed.
Most of the data exposed was from Instagram, which had two libraries: one with 95.6 million records and the other with 96.7 million. TikTok’s folder contained information on 42.1 million accounts, while YouTube’s had data referring to 3.9 million profiles.
Among the leaked information were details such as profile name, username, photo, account description, age, gender, and follower interaction statistics. In some cases, the records also contained the telephone number and e-mail address of the profile owners.
Automated data collection is a technique prohibited by social media.Source: Compaitech/Reproduction
According to Comparitech, evidence indicated that the information belonged to Deep Social, a company banned by Facebook in 2018 after illegally collecting data from users. But when questioned, the company claimed the bank was owned by Hong Kong-based Social Data. The latter, in turn, acknowledged the violation and closed access in early August.
Spam and Phishing Campaigns
The data available in this leak is public and can be found in the users’ own profiles. However, collecting large amounts of information, in an organized manner as in this case, facilitates its use in spam and phishing campaigns on social networks.
Photos and other real data available in these records can be used to create fake profiles and promote fraud and misinformation, for example, in addition to other types of scams.
Although the server is already protected, it is not known whether cyber criminals had access to the bank before the closure, according to the security company.