Nearly 235 million Instagram, TikTok and YouTube profiles have fueled an insecure-access database. According to a report by Comparitech and cybersecurity researcher Bob Diachenko, a database of nearly 235 million social media profiles has been exposed on the web, with access without a password or other form of authentication.
Discovered on August 1 with a distribution over several datasets, this insecure database – due to misconfiguration – contained profile information extracted from public pages on mainly Instagram, as well as TikTok and to a lesser extent YouTube.
Along with name, photo, account description, age, gender, and various subscriber engagement statistics, nearly a fifth of profiles contained a phone number or email address. Three hours after the appropriate notification, access to the database was closed.
For Comparitech and even if the information is independently publicly accessible, the discovery of this database by malicious people could have been used for spam and phishing campaigns.
The origin of the data and this collection seems to point to a company called Deep Social. Presenting itself as an influencer ranking, discovery and analysis platform using AI, it was closed in 2018.
At the same time, Deep Social had its access (API) revoked by Facebook (owner of Instagram) for a prohibited practice of web scraping. It refers to the automated collection of content, including for profiles.
Deep Social admins referred to marketing firm Social Data for influencer data which took action with the servers hosting the data. Social Data denies any link with Deep Social and defends itself.
“All data is freely accessible to anyone with access to the Internet. Anyone could phish or similarly contact anyone who indicates their phone and email address in their profile description on social media, even without the existence of the database. Social networks themselves expose data to outsiders. Users who do not wish to provide information make their accounts private.”