According to the security researchers, two datasets consist of 100 million users each, containing profile data scraped from Instagram. The third dataset consists of nearly 42 million TikTok users followed by 4 million YouTube profiles.
The issue was first pressed by Comparitech research team, led by Bob Diachenko, on August 1. The unsecured databases have become a huge data protection problem. Based on the samples collected by the security research firm, one in five records contained sensitive information such as telephone number, or email address. Some of the records also contain profile name, full real name, profile photo, and account description.
Paul Bischoff, Comparitech Editor said, “The information would probably be most valuable to spammers and cybercriminals running phishing campaigns. Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation.”
When the researchers investigated the source of data, they found out that it points out a company called Deep Social which scrapped user profile data. The company and its plugin were banned in 2018.
Data scraping is a clear violation of Facebook’s policy for Instagram. The social media giant has revoked Deep Social’s access in Jun 2018. Even TikTok does not allow third-parties to run automated scripts to collect user information.
The users of these platforms are advised to be careful about phishing scams by email or posted as social media comment. If your company has any database in the could, it is recommended that you audit the access permissions.