A cloud configuration error at a Chinese startup exposed the personal data of at least 214 million social media users including celebrities, researchers have warned.
The privacy snafu occurred at social media management firm Socialarks, which suffered a similar incident in August last year when 150 million users were exposed, according to Safety Detectives.
This time, a team led by Anurag Sen came across an Elasticsearch database left completely open without any password protection or encryption, during a routine IP scan.
The 408GB trove contained over 318 million records in total, although the exact number of users affected is still not known given the size of the leak. What the researchers do know is that it was illegally scraped from social media profiles on Facebook, Instagram and LinkedIn, contrary to the policy on those sites.
They discovered nearly 12 million Instagram user profiles, including names, phone numbers, usernames, email addresses, profile pictures and locations.
The trove also contained data on 82 million Facebook profiles including full names, email addresses, phone numbers, Messenger IDs, pictures and more.
Finally, the researchers uncovered 66 million LinkedIn user profiles containing full names, email addresses, job profiles and company names, amongst other data points.
Safety Detectives said it was unclear how private information such as phone numbers and email addresses were obtained by Socialarks, given its scraping tools should have lifted only publicly available information.
“In some cases, scraped data can be weaponized to carry out a specific goal of extracting personal information for criminal purposes. Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking,” the firm warned.
“Contact information can be harnessed to target people with targeted scams including sending personalized emails containing other personal information about the target, thereby gaining their trust, and setting the stage for a deeper intrusion into their privacy.”
Although Socialarks never replied to the research team, it remediated the leak on December 14, the day it was notified.