Security researchers discovered a misconfigured database exposing over 235 million social media profiles online. According to the security researcher Bob Diachenko, who leads cybersecurity research team at Comparitech, the leaky database contained sensitive information that was taken from publicly viewable social media profiles on Instagram, YouTube, and TikTok.
Diachenko found three identical copies of the scraped data from social media pages, which were hosted at three separate IPv6 addresses. The datasets include:
- 96,714,241 records scraped from Instagram
- 95,678,713 records scraped from Instagram
- 42,129,799 records scraped from TikTok
- 3,955,892 records scraped from YouTube
The records contain personal information like profile name, full real name, profile photo, account description, whether the profile belongs to a business or has advertisements. It also includes statistics about follower engagement, including number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, likes, last post timestamp, age, and gender.
The misconfigured database is said to have come from now-defunct company called Deep Social, however the database is presently owned by a company named Social Data. Social Data acknowledged the exposure but has denied any connection with Deep Social.
“Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later,” Comparitech stated in its report.
Fate of the Exposed Data
Attackers could take advantage of the exposed data to launch credential stuffing attacks. “The information stored in this database is vulnerable to spam marketing and phishing campaigns. Users of Instagram and TikTok should be on the lookout for scams and phishing messages either sent directly or posted in comments. Even though the information is publicly available, the size and scope of an aggregated database makes it more vulnerable to mass attacks than it would be in isolation,” Comparitech added in its report.
While the unsecured database was discovered on August 1, 2020, the Comparitech researchers stated that they do not know how long the data was exposed before the disclosure, and it is unclear whether any unauthorized party accessed it or not.