Security researchers have uncovered an exposed database online containing scraped data from the social media profiles of nearly 235m Instagram, TikTok and YouTube users.
For those unfamiliar with the practice, web scraping is an automated technique used to collect data from websites commonly used by analytics companies that use it to create large databases of user information . Although the practice is legal, it is strictly forbidden by social media companies because it endangers the privacy of their users and their data.
In early August, Bob Diachenko of Comparitech examined three identical copies of the exposed database online. After examining the database, Diachenko and his team learned that it belonged to a company called Deep Social that had shut down its operations.
When the team reached out to the now-defunct company, the request was forwarded to a Hong Kong-based firm called Social Data. While Social Data denied that it had any connection to Deep Social, the company acknowledged the breach and the exposed database could be password protected.
In an email to Diachenko included in Comparitech’s blog post about the case, Social Data challenged the practice of deleting websites, while also pointing out that the database, which went online without a password to secure it, did not was hacked, saying:
“Keep in mind that the negative connotation that the data has been hacked implies that the information was obtained strangely. This is simply not true, all data is freely available to ANYONE with internet access. I would appreciate it if you could make this clear. Anyone could phish or contact any person who indicates phone and email on his description of the social network profile, even without the existence of the database. Social networks themselves expose the data to outsiders – that is, their business – open public networks and profiles. Those users who do not want to provide information make their accounts private. “
Diachenko and his team discovered three identical copies of the database hosted at three separate IPV6 addresses. Of the nearly 235m social media profiles in the database, 191m were deleted from Instagram, 42m were deleted from TikTok and almost 4m were deleted from YouTube.
Each of the entries in the database contains a wealth of information about the users of these services whose data was deleted, including their profile name, real name, profile photo, age, gender, involvement statistics and more.
While deleting user data from social media sites is not illegal, failure to collect this data after it has been collected poses a serious risk to the affected users, as cybercriminals can use the information from the database to direct it online.
Via the following web
