A social media analytics company Social Data has exposed more than 250 millions social media account details over the Internet due to the absence of an authentication system to access their database.
Social Data, a Hong Kong based company launched in August 2019, sells data on social media influencers and their followers to marketers, had the entire 235 millions accounts database left unprotected over the web, without a password or any other authentication required to access it.
The exposed data includes sensitive and personal information such as names, contact information, personal info, images and followers stats. All this information was collected by Social Data from social platforms such as YouTube, TikTok and Instagram through a technique known as Web Scraping.
What is Web Scraping?
Web Scraping is an automatic technique of pulling different publicly available information from websites and social media sites performed by writing various scripts or creating automated bots. This way media analytics companies can copy and store data in bulk. This practice of scraping data is against Facebook, Instagram, TikTok and YouTube terms of use.
Security researcher Bob Diachenko, who leads Comparitech’s cybersecurity research team, uncovered three identical copies of the exposed data on August 1. The evidence collected by the team suggests that data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Diachenko went ahead and notified about this exposure to Deep Social using the email address listed on its website. The administrators of Deep social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure and the servers hosting the data were taken down about three hours later.
Social Data denies any connection between itself and Deep Social.
Based on the analysis by Comparitech’s cybersecurity team, three identical copies of the data were hosted at three separate IPv6 addresses with:
- 192,39,2954 records scraped from Instagram
- 42,129,799 records scraped from TikTok
- 3,955,892 records scraped from YouTube
Based on the samples they have collected about one in five records contained either a phone number or email address. The datasets also contain crucial information such as full real name, profile photo, follower engagement details, age, gender etc.
Dangers of this exposed data
As of now it is difficult to know how much of the database copy has been downloaded and distributed. All the exposed data can be used for spamming and phishing campaigns. Profile images can be used by scammers to create fake imitation accounts. It’s not like scammers can get the photos of famous celebrities or influencers online. But combined with users personal information a fake account can look genuine which can lure in followers promoting further scams or misinformation and possibly defaming influencers.
Image Credits: Kerstin Riemer from Pixabay
