Data from almost 235 million social-media profiles was left exposed on the open internet by a company that had "scraped" the information from Instagram, TikTok and YouTube.
The exposed data included full names, ages, genders, profile photos and, in some cases, telephone numbers and email addresses. The database was taken offline in early August, three hours after researchers from Comparitech (opens in new tab) notified the database's current administrators that it was unsecured.
- TikTok secretly tracked millions of Android users — what to know
- The best identity theft protection services
- New: BlackBerry is back from the dead — with a real keyboard and 5G
It's not clear how long the database was left open for anyone to find, but the company that collected the information, Deep Social, went out of business in 2018 (opens in new tab) after Facebook banned it from scraping Instagram user profiles and threatened to sue. The database is now administered by a different company called Social Data.
Persons who had their phone numbers or email addresses exposed as part of this data leak might be at higher risk of being targeted by phishing scams. However, all the information was already publicly displayed on Instagram, TikTok or YouTube. (We're calling this a "data leak" rather than a "data breach" because there's no evidence that the data was stolen or misused.)
Collecting publicly displayed information from social-media services is not illegal, although most social-media companies forbid it in their terms of service and reserve the right to block such activities.
According to Comparitech, Deep Social marketed itself as an analytics platform providing insight into social-media "influencers" for high-profile corporate clients. Social Data, which now holds the database, seems to do more or less the same thing.
"The negative connotation that the data has been hacked implies that the information was obtained surreptitiously," a Social Data spokesperson told Comparitech. "This is simply not true — all of the data is available freely to anyone with internet access."
To make sure your personal data doesn't end up being scraped by marketers and data brokers, minimize the amount of information you display publicly on Facebook, Instagram, TikTok, Twitter, YouTube and other social-media sites.
Consider registering with a fake name and/or a disposable email address and using a photo that doesn't show your face. And never list your date of birth — that's a vital piece of information that identity thieves can use.