UPDATED 22:22 EDT / AUGUST 19 2020

SECURITY

235M user profiles scraped from Instagram, TikTok and YouTube found exposed online

Some 235 million profiles of users of Instagram, YouTube and TikTok compiled by a social media marketing company have been found online on a publicly exposed database.

Discovered and publicized today by Bob Diachenko at Comparitech, the database was traced to a company called Social Data that sells data on social media influencers to marketers. The data, scraped from public profiles includes user names, full names, contact information, images, follower statistics, age, gender and several other details.

More than 192 million records were related to Instagram users, 42 million to TikTok users and almost 4 million records to YouTube users. Although all the information is publicly available from user accounts, scraping the data is against the terms of use all three services.

There is also some question around the company that allegedly compiled the data. Diachenko initially tied the data to Deep Social, a now-defunct company that was banned by Facebook Inc. and Instagram from their marketing application programming interfaces in 2018, with a threat of legal action if it continued to scrape data from user profiles. Those tied to Deep Social forwarded on an inquiry from Diachenko to Social Data.

Social Data denies having any links to Deep Social and also denies any wrongdoing in compiling the data, saying that “all the data is available freely to anyone with internet access.” The exposed database has been taken offline.

Although it is true that the data is publicly available online, it’s normally not compiled in an easy-to-use database that has seemingly been compiled through illegal scrapping. “Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation,” Paul Bischoff from Comparitech told Forbes.

“While most of the user data in this leak was publicly available on user profiles, the risk of phishing is amplified due to the large accumulation of user data collected in the exposed databases,” Chris DeRamus, vice president of technology of the Cloud Security Practice at security operations firm Rapid7 Inc., told SiliconANGLE.

Chloé Messdaghi, vice president of strategy at cybersecurity company Point3 Security Inc., explained that scraping is  essentially the use of personal information without permission for profit. “It is an act against the individual’s privacy rights and it puts all of those whose data is scraped at sharply increased risk of attack from phishers,” she said. “Data scraping companies, perhaps unintentionally, support malicious actors and enable cybercriminals to do the things they do.

This is much the same problem as the privacy issues around facial recognition without permission, she added. “When we see the chilling effects of the potential misuse of such technologies against activists in places like Belarus and Hong Kong, it should give us all pause and serve as a Congressional call to action,” she said. “Clearly, when scraping is involved, the personal data we entrust to one platform doesn’t stay on that platform – despite the site’s own policies.”

Photo: Wallpaper Flare

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU