Cybersecurity TikTok Denies Breach After Hacker Claims ‘2 Billion Data Records’ Stolen Davey Winder Senior Contributor Opinions expressed by Forbes Contributors are their own. Co-founder, Straight Talking Cyber Following New! Follow this author to stay notified about their latest stories. Got it! Sep 6, 2022, 02:44am EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin Messages on a breach marketplace forum claim TikTok has been breached, sample data posted online AFP via Getty Images September 6 Update below.
This post was originally published on September 5 Earlier this month, I reported how security researchers had uncovered a serious TikTok vulnerability that could have exposed users to a 1-click account takeover exploit . That issue, impacting Android app users, has long since been patched by TikTok. However, just as TikTok users breathe a sigh of relief, reports that TikTok U.
S. has been hacked have started circulating, first on an online data breach marketplace forum and then Twitter over the holiday weekend. A TikTok spokesperson has told this reporter that no evidence of a security breach has been found.
Security experts recommend that TikTok users change their passwords and ensure two-factor authentication (2FA) is activated anyway, out of an abundance of caution. MORE FROM FORBES TikTok Account Takeover App Hack Only Needed 1 Click, Microsoft Says By Davey Winder The TikTok hack allegations The first reports of an alleged hack appeared on the Breach Forums message board September 3. A user with the handle of AgainstTheWest posted what was claimed to be screenshots from a TikTok and WeChat breach.
In that posting, the user said, referring to the alleged stolen data, that they had “yet to decide if we want to sell it or release it to the public. ” A link to two samples of the data was published, along with a video of one set of database tables. The poster further claims to have extracted 2 billion records from the database.
In a September 3 Twitter posting, the user BlueHornet|AgainstTheWest also claims to have stolen “internal backend source code. ” Hacker claims to have accessed TikTok source code Twitter TikTok says there’s no evidence of a security breach I have reached out to TikTok for more information and a TikTok spokesperson has told me: “TikTok prioritizes the privacy and security of our users’ data. Our security team investigated these claims and found no evidence of a security breach.
” MORE FOR YOU iOS 15: Apple Issues 22 Important iPhone Security Updates Widely-Used Hikvision Security Cameras Vulnerable To Remote Hijacking iOS 15 Is Available Now With These Stunning New iPhone Privacy Features An earlier statement, in a Bloomberg U. K. article , addressed the stolen source code allegation directly: “Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.
” Which leaves the question of where this data has come from still to be answered. Troy Hunt, of data breach information site haveibeenpwned, posted a lengthy thread to Twitter in an attempt to verify if the sample data is genuine or not. His conclusion after much analysis is that the evidence is “so far pretty inconclusive.
” Hunt goes on to say that there is some data that matches production info, but this is also publicly available anyway. He also found some ‘junk’ data but concedes this could be non-production or test data. Has TikTok been breached? Troy Hunt analyzed the data Twitter In a Hacker News forum thread, it has been suggested that the data looks like it came not from TikTok itself but rather from a third-party that integrates with TikTok for marketing or e-commerce purposes.
However, it is far from clear at the moment whether third-parties have access to this type of data in the first place, let alone if one has actually been breached. Third-Party data in leaked samples a clue to ‘breach’ origins September 6 Update: The suspicion that the TikTok data leak was actually a third-party database breach would seem to be all but confirmed now. A TikTok spokesperson has provided me with an updated statement that reads as follows: “Our security team has found no evidence of a security breach.
We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. The samples also appear to contain data from one or more third-party sources not affiliated with TikTok. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.
” There had already been some suggestion from data breach experts that the samples shared by ‘AgainstTheWest’ comprised scraped data. That is, publicly accessible data that has been collected, often by way of automated processes (bots), and compiled into a database for marketing or e-commerce use. The updated TikTok statement confirms this to be the case.
It is certainly not unusual for such scraped databases to include data from a variety of sources, and that is also confirmed by the mention of third-party data in the statement. The data-scraping suggestion isn’t as straightforward as it might be, though. According to a Bleeping Computer report , a TikTok spokesperson told the publication that any leaked data couldn’t have come from “direct scraping” of the platform as TikTok has “adequate security safeguards to prevent automated scripts from collecting user information.
” Further confirmation of the third-party connection, however, comes by way of Bob Diachenko , a cyber threat intelligence analyst well-known for his work on database leaks and breaches, who has tweeted following an analysis of the alleged TikTok breach sample data . Diachenko says that the data is likely to come from a company based out of Hangzhou City, in the Zhejiang Province, China. I have tried to contact the company but have been unsuccessful so far.
In his latest Twitter posts on the subject, Troy Hunt has stated that he has yet to see anything that verifies a TikTok breach . There are no “email addresses we can confirm the existence of via an enumeration vector (like password reset), Hunt tweeted, or “Password hashes that match accounts. ” Meanwhile, the ‘AgainstTheWest’ account on the breach marketplace forum where the supposed TikTok breach data samples were published has been banned.
As well as deleting those posts, the forum administrators have stated they banned the user for “lying about data breaches. ” Twitter has also suspended the BlueHornet|AgainstTheWest user account. MORE FROM FORBES Samsung Has Been Hacked: What Data Has Been Stolen? By Davey Winder What should TikTok users do now? Although the latest TikTok statement advises that users don’t need to take any proactive actions there is no harm in having an abundance of caution.
So, I would still recommend that TikTok users change their passwords and ensure they have two-factor authentication (2FA) activated as an extra layer of protection. Jake Moore, global cybersecurity advisor at security firm ESET, agrees, saying: “Although this data could purely be widely public data which has been scraped openly from the site, it still highlights the fact that the biggest social media platform in the world attracts criminal hackers and they will continue to be relentless and look for any vulnerability if it’s there. Whether this turns out to be truly private data causing every account to be potentially vulnerable or just open information from the site, users must make sure they have security alerts activated within the app and two-factor authentication turned on, as well as ensuring that their password used on the account is unique to any other account.
” MORE FROM FORBES LastPass Hacked: Password Manager With 25 Million Users Confirms Breach By Davey Winder Follow me on Twitter or LinkedIn . Check out my website or some of my other work here . Davey Winder Editorial Standards Print Reprints & Permissions.
From: forbes
URL: https://www.forbes.com/sites/daveywinder/2022/09/06/has-tiktok-us-been-hacked-and-2-billion-database-records-stolen/