Instagram, TikTok and Youtube users' personal data exposed by social media company
Approximately 235 million accounts were exposed, with personal data including names and contact information left on an insecure database
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A company that sells social media data to marketers has left nearly 235 million Youtube, TikTok, and Instagram profiles exposed.
Social Data managed a database that was neither password-protected nor had any authentication methods, according to a report from Comparitech.
The data reportedly includes a information including names, contact information, personal information, images, and statistics about followers.
Comparitech also said it detailed information about those accounts, such as number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, and likes.
Security researcher Bob Diachenko, who had previously contributed to uncovering the ‘Meow’ hack, said he uncovered three identical copies of the exposed data at the start of the month.
According to Comparitech, the company responsible for the unsecured database was a now-shuttered firm called Deep Social. When informed of the breach by Comparitech, Deep Social forwarded the disclosure to Social Data.
The CTO of Social Data reportedly acknowledged the exposure, and took down the servers within three hours – but Social Data denies any connection between itself and Deep Social.
Facebook and Instagram banned Deep Social from their marketing APIs in 2018 for scraping data from user profiles. “Scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection”, a Facebook spokesperson said.
Speaking to Comparitech, a spokesperson for Social Data said to “note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access.
“I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database.
“Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private [sic]”, they continued.
Social Data launched in August 2019, is located in Hong Kong, and has apparently worked with companies including Samsung, Heineken, L’Oreal, Unilever, Walmart, Amazon, Disney, and Booking.com.
It is unclear how long the data had been exposed prior to 1 August, when it was detected, or whether it was accessed by malicious individuals. The Independent has reached out to Social Data for clarification.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments