Data Scrapers Expose 2.6 Million Instagram and TikTok Users

Security researchers have discovered over two million social media user profiles scraped from the internet after they were unwittingly exposed online by an analytics firm, Infosecurity can reveal.

A team at reviews site SafetyDetectives led by Anurag Sen found the data located on a misconfigured Elasticsearch server, left exposed without any password protection or encryption in place.

It quickly traced the 3.6GB trove of more than 2.6 million TikTok and Instagram profiles to IGBlade, a firm that provides marketing insights on social media users for its customers.

“The scraped data of users on the server is the same data that features each user’s corresponding IGBlade.com page, and the database often provides links back to IGBlade,” the researchers wrote. “This is how we know the database belongs to IGBlade.com.”

Although data scraping is not illegal, and all of the user info contained in the exposed database was publicly available, it breaks the terms of service for TikTok and Instagram.

The leak could also be a boon for cyber-criminals, who can accelerate mass social engineering and fraud campaigns with large volumes of user information collected in one place.

According to the report, the exposed information was left publicly available online for over a month before the research team found it and reached out to IGBlade. The Romanian firm secured it on the same day, July 5.

The trove included full names and usernames, profile pictures, “about” details, email addresses, phone numbers and location data. Celebrities including Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray were caught in the privacy issue.

SafetyDetectives claimed the revelation could land IGBlade in trouble with the two social media giants.

Beyond this, if criminals got hold of the trove, they could use it in follow-on phishing attacks and mass robocalling scams. The researchers claimed that they could even use the scraped profile pics to create new fake accounts for misinformation and scam campaigns.

“Data scraping can make information for thousands or millions of users instantly accessible, as it’s all stored in the same place. For example, navigating logs in a database is a far quicker solution than navigating between each user on a social media site,” said SafetyDetectives.

“In this case, cyber-criminals can use data scraping as a cybercrime accelerant rather than an enabler. It can accelerate the speed and scope of hackers’ criminal activities.”

What’s Hot on Infosecurity Magazine?