A database with personal information about 235 million users of Instagram, TikTok, and YouTube was publicly available without any protection. Names, contacts, photos, and statistics about followers were found in it. It is reported that this database was created using the so-called web scraping вЂ” a technique for automatically collecting information from various web pages.
Cybersecurity researchers have found an unprotected database on the network containing the personal information of 235 million Instagram, TikTok, and YouTube users, according to information security company Comparitech.
Every fifth record from the merged database contained the user's email or phone number. In addition, in all entries, without exception, one could find the account name, the real name of the user, his photo, and profile description. Detailed statistics about followers were also available, including a breakdown by age, gender, geolocation, and other indicators.
вЂњThis information will be the most valuable for spammers and cybercriminals conducting phishing campaigns. Even though the data is publicly available, the fact that it has been merged into a well-structured database makes it much more valuable than each profile individually, вЂќ said Comparitech editor Paul Bischoff.
Indeed, the data in question was publicly available on the Internet before being merged into a separate database. They were collected as a result of the so-called web scraping вЂ” a technique for automatically collecting information from various web pages for further use. Although web scraping is legal, many internet companies prohibit the practice to protect their own users.
The data collected as a result of web scraping is used by statistical companies for their own projects or resale to other companies.
However, as Bischoff rightly pointed out, a whole database that is openly available in an insecure form without a password is a serious cybersecurity threat.
Comparitech lead researcher Bob Dyachenko was able to establish that the database in question had previously belonged to Deep Social, which had already ceased to exist. It is known that earlier she was caught in web scraping of these services, which prohibited such collection.
вЂњCollecting data from Instagram is a clear violation of our policies. We restored Deep Social's access to our platform in June 2018 and sent them an official notice to ban further data collection, вЂќ a Facebook spokesman said in a comment for Forbes.
вЂњTikTok prioritizes user privacy. Our policies prohibit third parties from running automated scripts to collect information from our services, including information that is publicly available. If we identify any such practice, we will immediately take action, including with the help of the court, вЂќ- said the press service of TikTok.
Google, which owns YouTube, was unable to provide a prompt comment.
The problem of voluminous publicly available databases became so acute that nameless heroes began to appear, removing them from the Internet. For example, in July, an unusual hacker attack was recorded вЂ” attackers hacked over a thousand unprotected archives with information, and then erased them, leaving only lines of random numbers and the word вЂњmeowвЂќ in place of the deleted information.