Personal data of 235 million Youtube, TikTok and Instagram users were disclosed in a data breach, said Comparitech, a cybersecurity research firm.
Social Data, a company that sells data on social media influencers to marketers, has exposed a database of social media profiles on the web without a password or any other authentication required to access it, said Bob Diachenko, who leads Comparitech’s cybersecurity research team.
The data exposed has information that includes profile name, full real name, profile picture, account description, and whether the profile belongs to a business or has advertisements. 20 % of the total records collected had phone number or email address.
It also had statistics on account followers like number of followers, engagement rate, and audience gender, age, and location.
Comparitech said that the scammers can use the images and other profile data to create fake accounts, which can attract followers and then promote misinformation. The images can also be used in face recognition systems without the owners’ consent.
Comparitech is not sure if the data was exposed before they identified this on August 1, and if any unauthorised parties accessed the data during the exposure. The database was shut down nearly three hours after the cyber research firm disclosed it.
According to evidence, much of the data came from a now-defunct company Deep Social.
Diachenko reached out to them and disclosed the exposure. The administrators of Deep Social forwarded it to Social Data which took down the servers hosting the data.
Facebook and Instagram had banned Deep Social from their marketing APIs in 2018 and threatened legal action if it continued to scrape data from their users’ profiles.
Despite Deep Social shutting down its operations since then, the practice has not ceased as pointed out by researchers.
Web scraping is an automated task that copies data and information from web pages in bulk. Social media companies are having a tough time to prohibit the automated scraping bots to access users’ profiles as it is difficult to distinguish between them and normal website visitors, Comparitech said.
Although Social Data said that it only scrapes publicly accessible information, that practice violates the policies of Facebook, Instagram, TikTok, and Youtube.
“Scraping people’s information from Instagram is a clear violation of our policies,” Facebook said.
However Social data blamed the social networks for exposing data themselves to the outsiders. Anyone could phish or contact any person who have indicated their phone numbers and e-mail id on their social network profiles description even without the existence of the database and any secret hacking, it said. Those users who do not wish to provide information, must make their accounts private.