Alleged TikTok Breach Could Expose Two Billion Data Records

Written by

Cybersecurity Twitter has been abuzz with analysts tweeting about the discovery of an alleged breach of an insecure server that allowed access to TikTok’s storage, which many believe contained personal user data.

Despite this, TikTok had denied the allegations.

“34 GB worth of data from TikTok's cloud storage on something called ‘cabinet’ is being shared to save storage. Not a clue on why it's here and what it's used for, but it'll be up for free,” a user posting under the name BlueHornet and using the handle AggressiveCurl tweeted on September 4, 2022. According to some cybersecurity analysts commenting on the supposed breach, this anonymous individual would be responsible for discovering the alleged breach.

A link to two data samples was published, along with a video of one set of database tables. The poster further claims to have extracted two billion records from the database. In a previous tweet, the BlueHornet also claimed to have stolen "internal backend source code."

TikTok said the claims of a breach discovered over the weekend were incorrect. “Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code,” a spokesperson said on September 5, 2022.

Troy Hunt, an Australian web security consultant, investigated some of the data samples listed in the leaked files and found matches between user profiles and videos posted under those IDs. But some details included in the leak were “publicly accessible data that could have been constructed without breach,” Hunt said.

“This is so far pretty inconclusive, some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data,” he posted on Twitter. “It’s a bit of a mixed bag so far.”

Bob Diachenko, cybersecurity analyst at Security Discovery, confirmed the breach on Twitter but his initial findings appeared to show that the data could have originated from the Hangzhou Julun Network Technology Co., Ltd - a Chinese financial company providing debit and credit cards] - rather than TikTok. 

The supposed TikTok breach occurred just days after Microsoft found a “high-severity vulnerability” in TikTok’s Android application.

Microsoft said the vulnerability “would have allowed attackers to compromise users’ accounts with a single click.” Dimitrios Valsamaras, from the Microsoft 365 Defender Research Team, wrote that the vulnerability could have allowed malicious actors to access and modify “TikTok profiles and sensitive information, such as by publicizing private videos, sending messages and uploading videos on behalf of users.”

In response, a TikTok spokesperson said the company had responded quickly to Microsoft’s findings and fixed the security flaw, which was found “in some older versions of the Android app.”

Social media companies continue to be under pressure to ensure their security measures are to a high standard, given the vast amounts of data they hold.

“There has long been much scrutiny over the way TikTok handles its own security and the way it looks after the privacy of its users, which naturally attracts attention from criminal groups as well as nation-state actors,” Jake Moore, global cybersecurity advisor at ESET told Infosecurity Magazine.

“Although this data could purely be widely public data which has been scraped openly from the site, it still highlights the fact that the biggest social media platform in the world attracts criminal hackers and they will continue to be relentless and look for any vulnerability if it’s there.”

“Whether this turns out to be truly private data causing every account to be potentially vulnerable or just open information from the site, users must make sure they have security alerts activated within the app and two-factor authentication (2FA) turned on, as well as ensuring that their password used on the account is unique to any other account,” he warned.

However inconclusive or small the issues may be, there will be intense focus on TikTok and its parent firm ByteDance when the US may step up its measures against businesses with links to China. On 27 June, nine US senators published a public letter to TikTok’s CEO asking him to explain alleged security breaches highlighted by BuzzFeed News on 17 June.

The letter highlights the concern that TikTok is using access to US consumer data to surveil American citizens.

What’s hot on Infosecurity Magazine?