Over 235 million social media users across TikTok, Instagram and YouTube had their personal information exposed on an unsecured database. Cybersecurity firm Comparitech made the discovery when they found an improperly secured cloud database without password protection.
The database contained identifiable personal information such as real names, age and gender. At least 20% of the accounts also had phone numbers and email addresses listed.
The researchers at Comparitech initially connected the database to Deep Social, an influencer ranking and AI analytics platform. At its height, the company was known for scraping information from social media sites using machine learning.
Data scraping allows companies to collect raw data (in bulk) from different sources. The data is then structured to gain insights into valuable information such as customer preferences and best pricing options. But there is a debate on the ethics of data scraping and responsibilities of companies using the data.
Deep Social was dissolved in 2018 when Facebook and Instagram banned them from their sites due to their scraping activities.
Who is the source of the data leak?
When Bob Diachenko, Chief Security Researcher at Comparitech contacted Deep Social about the unsecured database, his email was forwarded to Social Data. Within three hours, the servers hosting the database was shut down.
Social Data denied any connection with Deep Social but according to its website, the company also helps businesses to find influencers. This raises questions about why Social Data was handling the database in question if it doesn’t have any connection with Deep Social.
Social Data also issued a statement in response to the allegations,
We collect data and enrich it with additional useful insights solely on behalf of reputable customers, who use it strictly for the intended purposes. It is extremely sad that this incident has occurred due to a mixture of unfortunate events. However, as soon as we learned of the incident, we fixed it immediately. We have since been closely working with the information security experts on auditing our security infrastructure and increasing the required levels of information security to avoid similar occurrences in the future.
Is data scraping illegal?
Although most social media sites have policies against data scraping, Social Data has pushed against the notion that their activities are illegal. According to a statement from their spokesperson,
Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is freely available to anyone with an internet connection.
Social networks themselves expose the data to outsiders open public networks and profiles. Those users who do not wish to provide information, make their accounts private.
Dangers of exposed data
Although some companies have anti-scraping policies, there is no ruling that says it is an illegal activity. However, a situation like this where massive data which has been structured is exposed shows the danger of data scraping when the appropriate safeguards are not in place.
As the editor of Comparitech, Paul Bischoff said,
Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation.
Exposed data of this nature involving identifiable information such as names, phone numbers and email addresses can leave people vulnerable to dangers such as identity theft, fraud or phishing.
This is an important reminder for companies to conduct audits on information saved in cloud services. Get in touch with us for support on the best way to implement appropriate safeguards for your organisation.
What can you do to protect your personal information?
If you want to minimise the risk of your personal data being scraped by, here are a few guidelines for you:
- Minimise the amount of information you share on social media sites
- Never list identifiable information like your date of birth or address
- Regularly audit to delete posts or information in case you slip up
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.