A database of some 235 million YouTube, Instagram and TikTok profiles that was held by a now-shuttered company called Deep Social was left exposed without password protection or other authentication procedures, The Next Web reported on Thursday (Aug. 20).
The news site attributed information about the data exposure to researcher Bob Diachenko of security firm Comparitech.
A Wednesday (Aug. 19) report on news site Information Security stated, in part: “Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later.”
Deep Social provided, among other things, social media data. The company reportedly is no longer operating. Social Data is in a similar business.
Information Security included an email, purportedly from Deep Social to Diachenko, which stated: “Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true; all of the data is available freely to ANYONE with internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way, even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private.”
Web scraping is the process of using programs to fly through multiple layers of websites and copy information for later use. Although it is illegal, many operators of sites attempt to prohibit the practice through terms of service.
Though it is legal to have, the type of data Diachenko uncovered is dangerous because operators of social engineering attacks, such as phishing, can use it to wage targeted attacks on internet users.