Unsecured Social Data database leaks 235 million public profiles from TikTok, Instagram, and YouTube

Researchers from Comparitech have discovered yet another unsecured database which has leaked 235 million records to the world. The records include hundreds of millions from Instagram, forty some million from TikTok, and four million from YouTube. These public records were scraped from these social media platforms by Deep Social, a now defunct company that seems to have sold the data to Social Data. Scraping of public records is something that is forbidden by all three affected sites. In fact, Deep Social was banned from Facebook and Instagram for breaking that policy back in 2018.

Leaked Social Data database highlights the information we give to social media companies, and therefore the world

The database has since been secured, and affected users won’t be notified because the leaked information is technically public. Comparitech researchers reached out to Deep Social, were forwarded to Social Data, and the unsecured databases were secured within hours.

According to Comparitech, about one in five of the leaked profiles had an email address or phone number included. The information in the leaked database also includes:

• Profile name
• Full real name
• Profile photo
• Account description
• Whether the profile belongs to a business or has advertisements
• Statistics about follower engagement, including:
• Number of followers
• Engagement rate
• Follower growth rate
• Audience gender
• Audience age
• Audience location
• Likes
• Last post timestamp
• Age
• Gender

While this information could technically be garnered individually by a threat actor, the fact that all of these records are in one place almost guarantees extra exploitation. Extra because Social Data and Deep Social would continue using this data for their own purposes even if their database was never leaked, and even now after it has been leaked. Comparitech’s editor Paul Bischoff commented:

“The information stored in this database is vulnerable to spam marketing and phishing campaigns. Users of Instagram and TikTok should be on the lookout for scams and phishing messages either sent directly or posted in comments. Even though the information is publicly available, the size and scope of an aggregated database makes it more vulnerable to mass attack than it would be in isolation.”

This is a stark reminder that even if there are rate limits on how many profiles can be “saved” from a social media platform with public facing profiles, a public profile is just that: Public. We know that this technically public trove of information is being used for algorithm training. Whether it’s facial recognition from profile photos like we’ve seen with Clearview or something else, it’s time for social media users to recognize that when they use these supposedly free services, they are actually paying with information that is used, reused, leaked, then reused again.