235 million Instagram, TikTok profiles exposed in data leak — what to do now

(Image credit: Tom's Guide)

Data from almost 235 million social-media profiles was left exposed on the open internet by a company that had "scraped" the information from Instagram, TikTok and YouTube.

The exposed data included full names, ages, genders, profile photos and, in some cases, telephone numbers and email addresses. The database was taken offline in early August, three hours after researchers from Comparitech notified the database's current administrators that it was unsecured.

It's not clear how long the database was left open for anyone to find, but the company that collected the information, Deep Social, went out of business in 2018 after Facebook banned it from scraping Instagram user profiles and threatened to sue. The database is now administered by a different company called Social Data.

Persons who had their phone numbers or email addresses exposed as part of this data leak might be at higher risk of being targeted by phishing scams. However, all the information was already publicly displayed on Instagram, TikTok or YouTube. (We're calling this a "data leak" rather than a "data breach" because there's no evidence that the data was stolen or misused.)

Collecting publicly displayed information from social-media services is not illegal, although most social-media companies forbid it in their terms of service and reserve the right to block such activities. 

According to Comparitech, Deep Social marketed itself as an analytics platform providing insight into social-media "influencers" for high-profile corporate clients. Social Data, which now holds the database, seems to do more or less the same thing.

"The negative connotation that the data has been hacked implies that the information was obtained surreptitiously," a Social Data spokesperson told Comparitech. "This is simply not true — all of the data is available freely to anyone with internet access."

To make sure your personal data doesn't end up being scraped by marketers and data brokers, minimize the amount of information you display publicly on Facebook, Instagram, TikTok, Twitter, YouTube and other social-media sites. 

Consider registering with a fake name and/or a disposable email address and using a photo that doesn't show your face. And never list your date of birth — that's a vital piece of information that identity thieves can use.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.