As per researchers at Comparitech, an analytics firm called Social Data has exposed about 235 million user profiles scraped from Instagram, TikTok, and YouTube. The data contained personally identifiable information and discovered on August 1st. Soon after reporting, the exposed database pulled down from online.
Millions of User Profiles Exposed Online
Social Data, an analytics firm has exposed its database online, which has been open for anyone to access until a security researcher from Comparitech, Bob Diachenko discovered it on August 1st. Researchers said they don’t know how long the database was in open, and who’ve accessed it.
The database, which has no password set, has records of about 235 million people from Instagram, YouTube, and TikTok. In detail, the records count is divided into 96,714,241 records from Instagram, another 95,678,713 records from Instagram, 42,129,799 records from TikTok and 3,955,892 records from Youtube.
Social Data said the data was scraped out of public user profiles on their respective platforms, thus not being stolen or hacked.
Though data scraping of public information is legal in the US, Facebook, Google, and other major tech companies prohibited this practice. Researchers linked the company, Social Data to be related to Deep Social, which was previously banned by Facebook and Instagram from their marketing APIs for collecting data.
The data, in particular, have the users’ profile name, full real name, profile photo, account description, statistics about follower engagement, which includes the number of followers, engagement rate, follower growth rate, audience gender and age, audience location, likes and last post timestamp. This data is adequate to conduct a phishing campaign against those vulnerable people.
Though Social Data denied any relation with the Deep Social, a primary email sent by Bob Diachenko to Deep Social was routed to Social Data for checking. Also, researchers said much of the scraped data was seemed to be taken from Deep Social, which is now defunct. The exposed database was taken down a few hours of the disclosure.