At least 235 million users of Facebook-owned Instagram, China-based TikTok and Google-owned YouTube have been hit by a massive data leak and their personal profiles were up for grabs on the Dark Web.
According to security researchers from pro-consumer website Comparitech, an unsecured database was behind this data breach.
"The data was spread across several datasets and the most significant being two coming in at just under 100 million each and containing profile records apparently scraped from Instagram," reports Forbes, quoting the security researchers.
The third-largest was a dataset of some 42 million TikTok users, followed by nearly 4 million YouTube user profiles.
One in five records contained either a telephone number or email address of the users, along with profile name, full real name, profile photo, account description and number of followers and likes, etc.
"The information would probably be most valuable to spammers and cybercriminals running phishing campaigns," said Paul Bischoff, Editor at Comparitech.
More From This Section
"Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation," Bischoff said in the report on Thursday.
According to the researchers, the leaked data points to a company called Deep Social banned by both Facebook and Instagram in 2018 after scraping user profile data.
"Scraping people's information from Instagram is a clear violation of our policies. We revoked Deep Social's access to our platform in June 2018 and sent a legal notice prohibiting any further data collection," a Facebook spokesperson was quoted as saying.
According to Comparitech, data marketing company Social Data later shut the unsecured database after it was reported to them.
"Social Data has denied any connection between itself and Deep Social," according to the Comparitech report.
Earlier this month, a hacker group known as ShinyHunters flooded a hacker forum with 386 million user records stolen from 18 companies.
According to BleepingComputer, ShinyHunters began uploading the databases to a forum where anyone can download them free of charge. Of the databases released since July 21, nine of them were already disclosed in some manner in the past.