The analysis of the data leak reveals that the user identifiable data was spread across several datasets, according to The Independent. Of these pockets of data, the most significant were two sets coming in at just under 100 million each. These datasets contained user profile records apparently scraped from Instagram. Following these, the third-largest was a dataset was composed of some 42 million TikTok users. Another large dataset of concern was one containing just under 4 million YouTube user profiles.
As yet, there is no confirmed source for this leaked data. However, cybersecurity researchers have suggest that the evidence pointed to a company called Deep Social. This organization was banned by both Facebook and Instagram in 2018 after being found to be scraping user profile data.
Looking into the matter for Digital Journal is Chris DeRamus, who is the VP of Technology, Cloud Security Practice, Rapid7.
DeRamus begins by contextualizing the scale of the issue, noting: “TikTok, Instagram, and YouTube are three of the most popular social media sites servicing around 3.8 billion users total.” This means that these providers are entrusted with a massive trove of user data.
DeRamus continues, by considering where the data is being held: “While most of the user data in this leak was publicly available on user profiles, the risk of phishing is amplified due to the large accumulation of user data collected in the exposed databases. 235 million social media users are at risk of their information being sold on the dark web because of unsecured databases, one of the most common yet easily preventable security risks.”
For DeRamus this matter underscores the importance of social media providers investing in automated cloud security solutions. This is because, as the analyst notes: “Many breaches are a result of misconfigurations of cloud services that are exploited by an attacker. Companies must employ security tools that are capable of detecting and remediating misconfigurations (such as databases left unsecured without a password) in real time, or better yet – preventing them from ever happening in the first place.”