A database containing information on 235 million Instagram, TikTok and YouTube users has leaked onto the web. The non-password protected file could be viewed freely along with its share of information such as the names, email addresses and phone numbers of users, and their profile photos.
These files belong to a company called Social Data. User data from YouTube, Instagram and TikTok was collected using web scraping technique. This allows data to be extracted from web pages using crawlers. Many analytics companies use it and then sell the data to other companies or use it to provide marketing strategy advice.
Scraping is also a favored technique for hackers to create databases of targeted profiles in phishing or advertising spam campaigns. In this case, the files were identified by a security researcher named Bob Diachenko of Comparitech. They contained information from nearly 190 million Instagram profiles, 42 million TikTok profiles and 4 million YouTube profiles.
Files have been deleted from hosting servers
According to the researcher, these files belonged to a company called Deep Social which visibly shut down its services after being banned from Facebook and Instagram APIs, then threatened with legal action in 2018. We do not know how Social Data inherited this data. In a statement, a spokesperson for the company denied any connection to Deep Social and said in its defense that the files pointed out contained publicly accessible information. However, the company deleted the files in question from their hosting servers after the researcher’s discovery.
“Please note that the negative connotation that the data was hacked implies that the information was obtained surreptitiously. This is simply not true, all data is available free of charge to anyone with access to the Internet, “Social Data said in its statement. However, this plea is only a headlong rush.
Most social networks including YouTube, Instagram and TikTok prohibit scraping in their terms of service. In addition, this practice goes against the provisions of the GDPR in Europe which protect users from the exploitation of their data without their approval.
This is not the first time that a similar data breach has hit a social network. Last year, the phone numbers of 267 million Facebook users were found on the Internet in another unprotected database.