As per recent reports, user profile data of around 235 million users of famous social media apps including TikTok, Instagram, and YouTube got exposed due to a database breach. This data was collected by Deep Social (which is not functional anymore).
This data was found by Bob Diachenko, the lead researcher for a security firm Comparitech. He found that this data contained four major data-subsets which had details of millions of users from TikTok, Instagram, and YouTube.
Bob found three identical copies of this database on 1st August 2020 and when he and his team dug into it, they found out the company that had collected all that data through web-scraping.
This scraped data contains personal information like the profile name, full real name, profile photo, account description, whether it is a business account or personal, statistical information such as the number of followers, engagement rate, follower growth rate, gender, age, and location of the audience, likes, last post timestamp, etc.
20 percent of the records obtained from this database contain phone numbers and personal email addresses of the users. The company to which this database belonged did not secure it with any passcode and left it out exposed. This type of data is fodder for cybercriminals and can be used for phishing attempts, hacking, or spam. Comparitech forwarded this database to a Hong Kong-based security firm Social Data, who then acknowledged the breach and fixed the issue by closing the access to this database.
This data was collected by a practice known as web-scraping. A company uses scraping software or hires individuals to scrape data from other sites or apps to collect in a database and use it to approach individual users. Many B2B businesses make use of these web-scraping software to collect a target audience to whom they send emails and messages.
Web-scraping is not totally illegal, nor is it considered as hacking. It is the collection of data that is already public. But after collecting this data, it is the responsibility of the collector company to keep it safe and secure. These companies use selected data on the web, but they do not make it available through an API. In this case, the database breach happened because the company failed to protect it on the web.
Web-scraping can be used for many different purposes, and it is not always meant to be used for bad pruposes. But scraping personal data is still not a very good practice and policy makers must lay some boundary rules for scraped data and the purpose of scraping.
Read next: Researchers Discovered a New Vulnerability That Could Put Millions of IoT Devices at Risk
This data was found by Bob Diachenko, the lead researcher for a security firm Comparitech. He found that this data contained four major data-subsets which had details of millions of users from TikTok, Instagram, and YouTube.
Bob found three identical copies of this database on 1st August 2020 and when he and his team dug into it, they found out the company that had collected all that data through web-scraping.
This scraped data contains personal information like the profile name, full real name, profile photo, account description, whether it is a business account or personal, statistical information such as the number of followers, engagement rate, follower growth rate, gender, age, and location of the audience, likes, last post timestamp, etc.
20 percent of the records obtained from this database contain phone numbers and personal email addresses of the users. The company to which this database belonged did not secure it with any passcode and left it out exposed. This type of data is fodder for cybercriminals and can be used for phishing attempts, hacking, or spam. Comparitech forwarded this database to a Hong Kong-based security firm Social Data, who then acknowledged the breach and fixed the issue by closing the access to this database.
This data was collected by a practice known as web-scraping. A company uses scraping software or hires individuals to scrape data from other sites or apps to collect in a database and use it to approach individual users. Many B2B businesses make use of these web-scraping software to collect a target audience to whom they send emails and messages.
Web-scraping is not totally illegal, nor is it considered as hacking. It is the collection of data that is already public. But after collecting this data, it is the responsibility of the collector company to keep it safe and secure. These companies use selected data on the web, but they do not make it available through an API. In this case, the database breach happened because the company failed to protect it on the web.
Web-scraping can be used for many different purposes, and it is not always meant to be used for bad pruposes. But scraping personal data is still not a very good practice and policy makers must lay some boundary rules for scraped data and the purpose of scraping.
Read next: Researchers Discovered a New Vulnerability That Could Put Millions of IoT Devices at Risk
