A publicly-accessible Elasticsearch database owned by Chinese social media management company Socialarks has exposed over 400GB of data scraped from the most popular social media platforms such as Facebook, Instagram, and LinkedIn.
The unsecured Socialarks database was recently discovered by the Safety Detectives cybersecurity team who counted a total of more than 318 million data records which included personally identifiable information (PII) from at least 214 million social media users from around the world.
After discovering the database when carrying out routine IP-address checks, the researchers found that the database was neither password-protected nor was the data in it secured with encryption. This meant that anyone could access the database and its contents using the server IP address.
The 214 million data records found in the Socialarks database included 11,651,162 Instagram user profiles, 66,117,839 LinkedIn user profiles, and 81,551,567 Facebook user profiles. Safety Detectives said that more than 55 million additional Facebook profiles were deleted within a few hours after the database was discovered.
The 81.5 million Facebook user profiles found in the database contained over 40 million phone numbers and 32 million email addresses, along with other user details such as full names, profile descriptions, Messenger IDs, country of location, and website links.
According to Safety Detectives, information scraped from Instagram and stored in the database included the data of several high-profile influencers, including prominent food bloggers, celebrities, and other social media influencers.
"Every record contained public data scraped from influencer Instagram accounts, including their biographies, profile pictures, follower totals, location settings as well as personal information such as contact details in the form of email addresses and phone numbers," the researchers said in a blog post.
Information about 66.1 million users that was scraped by Socialarks from LinkedIn included as many as 31 million email addresses as well as people's full names, job profiles, user tags, domain names, connected social media login names, and LinkedIn profile links.
Safety Detectives found that the database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts.
Commenting on the exposure of the personal data of hundreds of millions of social media users worldwide, Pravin Rasiah, VP of Product at CloudSphere, told TEISS that since personally identifiable information was found bundled together with commonalities between profiles, it amplifies the risk of this data being abused by hackers and scammers.
"Leaving a database like this exposed without password protection is often the result of improper security and access management policies or failure to enforce those policies. To prevent incidents like this from occurring, organisations must implement a comprehensive set of security tools that monitor and control security status in real-time.
"A platform that provides a holistic view into the cloud landscape minimises the potential attack surface, shares security and access alerts in real-time, and avoids devastating misconfigurations that put sensitive data at risk," he added.