An improperly-secured cloud database has exposed personal information for over 235 million TikTok, Instagram and YouTube accounts. The Hong Kong-based company Social Data was unknowingly storing the data in a database without proper password protection, meaning anyone could pop in and see it. Ugh.
Cybersecurity firm Comparitech found and disclosed the vulnerability, which Social Data immediately fixed — but others with less altruistic intentions may have found it as well.
Comparitech says the database stored the following information for affected accounts:
- Profile name
- Full real name
- Profile photo
- Account description
- Whether the profile belongs to a business or has advertisements
- Statistics about follower engagement, including: Number of followers; Engagement rate; Follower growth rate; Audience gender; Audience age; Audience location
- Last post timestamp
It also held phone numbers and email addresses for at least 20% of the aforementioned accounts.
Why this is a big deal
Large-scale data breaches are common, but this specific instance is different: The fact that information was kept in an improperly secured database is problematic, but in this case, it was all publicly-available information rather than private passwords or financial data. That means accessing the saved data is less of a hack and more of a general data security blunder — though a pretty severe one, considering the variety of information the database consolidates in one place.
Look at it this way: Knowing a person’s full name and email isn’t enough to break into their account — you can find that with Google search and some social media savvy, and companies know that. But having a person’s name, email, phone number, account names, street address, age and post history all in one place creates a decent foundation for identity theft.
Repeat that for hundreds of millions of accounts, and you have a significant data privacy issue.
What you should do now
It’s always important to update your account security in response to leaks — including your passwords — and I encourage you to do so if you’re worried about the Social Data gaffe. This is also an excellent reminder to anonymize your data whenever possible.
I’m not saying you need to delete your social media accounts or make everything private (the database includes private accounts, anyway), but the more public you are online, the more security you need.
Even if you’re cool with folks knowing your first name in theory, if someone can match that name to an email or phone number, then match those to a password that may have been leaked elsewhere in the past, you’re in trouble. Social Data’s compromised database is one of those unforeseeable instances of mishandled user data that can hand your info over to the wrong people. It’s ultimately up to users to keep themselves safe.
Keep track of the data social media platforms collect on you and withhold as much personal information as you can. You could even use a different name, email address or other bogus identifying information when you make new accounts. If a website requires information like your birthday or street address, make sure it’s not publicly visible if you don’t want it to be. Or just make it up. The less companies know about the real you, the better; don’t give them more information than the very basics you need to use a service, and it’ll be harder to tie together your digital lives when a breach like this one happens again.