Cyber-security experts discovered Monday a possible data breach within TikTok’s Chinese short-form video app TikTok. This allegedly involved up to 2 million user records.
Many cyber-security experts tweeted about the “breach of an insecure Server that allowed TikTok to access its storage. They believe this contained personal user data.”
This is your forewarning. The #data #breach has been reported by # TikTok and there could be fallout in the next days. “We recommend that you change your TikTok password and enable Two-Factor authentication, if not already.” Tweeted BeeHive CyberSecurity.
“We have reviewed some of the data. We have already sent warning communications to our private clients and email subscribers,” it said.
Troy Hunt, the creator of data breaches information site wereibeenpwned posted a thread to Twitter to confirm if the sample data was genuine. He said that the evidence so far is “quite inconclusive”.
BlueHornet|AgaisntTheWest posted all the details on breached forums.
“Who would’ve thought @ TikTok would choose to store all of their internal backend code on one Alibaba Cloud instance with a sloppy password? They posted on Twitter about how easy it was to download the data.
According to reports, a TikTok spokesperson stated that their security team had “investigated the statement and concluded that the code in question was not related to TikTok’s backend source code.”
The Microsoft 365 Defender Research Team discovered a flaw in TikTok for Android. This vulnerability allows hackers to take over short-form, private videos of millions of users who click on a malicious link.
Microsoft discovered a serious vulnerability in TikTok Android’s TikTok application that could have allowed attackers access to user accounts via a single click.
The vulnerability would have required multiple issues to be linked together to exploit.
The tech giant stated that hackers could have used the vulnerability to hijack accounts without users’ knowledge if they clicked a link with a specially-crafted link.”
TikTok has denied recent claims that it was breached. Source code and user data were stolen. TikTok told that the data posted on a hacking forum is not related to the company.
A hacking group called ‘AgainstTheWest” created a topic in a hacking forum on Friday, claiming that they had breached TikTok as well as WeChat. One user shared screenshots from an alleged database that belonged to the companies. They claim it was accessed via an Alibaba cloud instance, and contained data for both TikTok users and WeChat users.
According to the threat actor, this server contains 2.05 billion records in a 790GB database that includes user data, platform statistics and software code. It also contains server information, cookies, auth tokens and server info.
Although the name AgainstTheWest might sound like a hacking group targeting Western countries, the threat actor claims that they only target countries or companies that are hostile to Western interests.
“Don’t be confused by the name, ATW targets countries that they perceive as a threat to west society. Currently they are targeting China, Russia, and have plans to target North Korea and Belarus in the future,” says CyberKnow, a cybersecurity researcher.
TikTok denies being hacked
CSNEST has been informed by TikTok that claims of hacking the company are false. The company also claimed that the source code posted on hacking forums was not part of its platform.
“This is an inaccurate claim. Our security team investigated the statement and found that the code in question was not related to TikTok’s backend code. WeChat data has never been merged with it.” – TikTok.
TikTok told us that they could not have leaked user data due to direct scraping of their platform. They also assured us that adequate security measures were in place to prevent automated scripts collecting user information.
Although WeChat is owned by Tencent, TikTok belongs to ByteDance. It is possible to see them in one database, which indicates that there was no breach of either platform.
The unprotected database was most likely created by a third party data broker or data scraper who extracted public data from both services, and then saved it to a single database.
These two companies are always under the scrutiny of privacy investigations by national service, so it is concerning to see such a rich cloud instance that contains both companies’ data.
Troy Hunt, creator of HaveIBeenPwned’s data breach notification service, stated in a thread that some data were valid. Hunt was unable to find any data that was not available publicly in TikTok. This proves an internal system breach.
Bob Diachenko, a “database hunter”, also confirmed the leaks as real but could not provide any concrete conclusions regarding the source of the data.
TikTok may have to take steps to stop the leakage of data even if further investigation reveals that it is legitimate. We asked for an additional comment on this front from TikTok, but have not received one.
As soon as new evidence becomes available, the story will be updated.