The security research team at Comparitech today disclosed how an unsecured database left almost 235 million Instagram, TikTok and YouTube user profiles exposed online in what can only be described as a massive data leak. The data was spread across several datasets; the most significant being two coming in at just under 100 million each and containing profile records apparently scraped from Instagram. The third-largest was a dataset of some 42 million TikTok users, followed by just under 4 million YouTube user profiles. There is no confirmed source for this leaked data at the moment, but researchers suggest that the evidence pointed to a company called Deep Social that was banned by both Facebook and Instagram in 2018 after scraping user profile data.
The data exposure at Social Data is another example of careless configuration management. Fortunately, this appears to be data that was publicly available and not a direct threat. Unfortunately, the exposed information could benefit spammers and scammers, which will just add to existing problems.
The challenge for users is how to balance usability with security. We have to assume our information will escape from 3rd parties, so how little information can we expose and still use the social media services we\’ve come to rely on?
At the very least, it\’s worth separating the addresses and information we associate with our critical accounts, such as banking or health, from our strictly social activities. That keeps a compromise of one from leading to a direct compromise of the other.
These days it’s near impossible to know whose hands your online data ends up in. A sea of data brokers and advertising companies obtain data in direct and indirect ways from almost every company you interact with online: social media platforms, merchants, news and entertainment sites, it’s practically everyone. In this instance it appears the information was all “public”, but it’ still no less frightening to see the massive amount of people it includes. Much the same way as it would be technically legal in many places for someone to film you from the moment you left your house and record your through public places until you returned, it makes it no less creepy to understand the true depth and invasiveness of the tracking that occurs online. The massive byzantine sharing between platforms, advertisers, and data brokers combined with relatively weak privacy regulation almost ensure that leaks of this type of information and worse are going to continue unabated until protection is forced through regulatory means.
Breaches like this fuel the attacks to people that open more doors to much more valuable data. Given the prevalence of work-from-home right now, its not surprising to see data like this circulating. Specific personal data enables more effective spearphishing to attack an enterprise with higher risk, higher value data. The bottom line here is enterprises need to be both protecting their own personal data to neutralize it from risk of theft and scraping, and ensuring employees don’t become the vector of exploits from attackers who quite literally have more socially exploitable data on them than the businesses they report to.
TikTok, Instagram, and YouTube are three of the most popular social media sites servicing around 3.8 billion users total, and are therefore entrusted with a massive trove of user data. While most of the user data in this leak was publicly available on user profiles, the risk of phishing is amplified due to the large accumulation of user data collected in the exposed databases. 235 million social media users are at risk of their information being sold on the dark web because of unsecured databases, one of the most common yet easily preventable security risks.
This incident further underscores the importance of investing in automated cloud security solutions, as many breaches are a result of misconfigurations of cloud services that are exploited by an attacker. Companies must employ security tools that are capable of detecting and remediating misconfigurations (such as databases left unsecured without a password) in real time, or better yet – preventing them from ever happening in the first place.