Security researchers have discovered around 235 million social media profiles in a misconfigured database that did not require any password to access its contents. The database was owned and maintained by Social Data that sells data on social media influencers to marketers.
The misconfigured database was discovered on 1st August by security researcher Bob Diachenko at Comparitech who noted that the database contained hundreds of millions of social media profiles that were taken from publicly viewable social media pages on Youtube, TikTok, and Instagram.
While data stored in the database originally came from a now-defunct company called Deep Social, the present owner of the database- a company named Social Data- took down the servers hosting the data within three hours of being notified by Comparitech.
According to the security firm, Deep Social was in the business of scraping data from social media profiles associated with the likes of Facebook and Instagram. However, the firm wound down its operations and ultimately closed its data-broking service after Facebook and Instagram banned the firm from their marketing APIs and threatened legal action. Social Data has denied having any links with Deep Social, but Comparitech believes the company carried out data scraping from social media platforms as well.
The 235 million social media profiles stored in the misconfigured database included over 192 million records scraped from Instagram, over 42 million records scraped from TikTok, and nearly 4 million records scraped from Youtube. Incorporated in Hong Kong, Social Data says it “helps your business to find Influencers and get in-depth insights into demographic and psychographic data of influencers and their audience throughout different types of social media on the web.”
Comparitech says Social Data was incorporated around a year after Deep Social was shut down. The former company described itself as “a freemium influencer ranking, discovery and AI-driven analytics platform” offering in-depth insights into demographic and psychographic data of influencers and their audience.
The data broker's services were used by a number of global brands such as Samsung, Heineken, L’Oreal, Unilever, Walmart, Amazon, Disney, and Booking.com and it claimed to be GDPR-compliant.
Even though the misconfigured database has been taken down, the amount of personal information stored in it was alarming for the researchers who discovered it. The database contained profile names, full real names, profile photos, age, gender, account description, and last post timestamps of social media profiles. Other details found in the database included statistics about follower engagement such as the number of followers, engagement rate, audience gender, audience age, audience location, likes, etc.
"Facebook and other social networks have employed both legal and technological solutions to stem web scraping of their users’ profiles, but the practice hasn’t ceased. Scrapers are difficult for automated systems to distinguish from normal website users. The most prominent example is Clearview.ai, which scraped profiles for images to be used in mass-marketed face recognition technology," Comparitech said.
Commenting on the discovery of the misconfigured database, Anurag Kahol, CTO of Bitglass, said that to prevent misconfigurations like this in cloud environments and ensure sensitive data is protected, organisations must take a more proactive and holistic approach to cloud security.
“By leveraging multi-faceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, and manage the sharing of data with external parties, and prevent data leakage, organisations can ensure the privacy and security of sensitive information,” he said.