TikTok hack: Attacker claims to have exposed more than a billion users

Security researchers warn TikTok user data appears to have been listed on a hacking forum on 3 September, 2022 (Getty Images/ iStock)

An alleged hack of TikTok may have exposed the data of more than 1 billion users, cyber security researchers have warned.

Reports of a data breach first emerged on a popular hacking forum over the weekend, with hackers claiming to have exploited an insecure server containing personal information of TikTok users.

The claims coincided with a security alert from Microsoft warning of a “high-security vulnerability” in TikTok’s Android app, which could have allowed attackers to “compromise users’ accounts with a single click.”

The alleged hackers claim to have access to around 34GB of data from TikTok users.

“We have to decide if we want to sell it or release it to the public,” a user named AgainstTheWest wrote on a Breach Forums message board.

“About 1.37 billion entires have been pulled... The entries are from all over the world... This data contains a lot of under aged people.”

Security researcher Troy Hunt, who operates the Have I Been Pwned data breach service used by dozens of national governments, analysed ta 237MB sample of the files listed on the hacking forum.

Mr Hunt was unable to verify the legitimacy of the hack from the sample, claiming that the data was already publicly available.

“This is so far pretty inconclusive,” he tweeted on Monday. “Some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It’s a bit of a mixed bag so far.”

A TikTok spokesperson denied that any breach had occured, adding that the vulnerability identified by Microsoft “is completely unrelated” to TikTok’s backend source code.

“TikTok prioritizes the privacy and security of our users’ data,” a spokesperson told The Independent. “Our security team investigated these claims and found no evidence of a security breach.”

TikTok is the world’s most visited website, according to security firm Cloudflare, having overtaken Google in 2021.

Its China-based parent company ByteDance has previously been criticised for sharing details about their algorithms with the Chinese government, while security concerns have also been raised about state involvement.

A 2019 lawsuit claimed that TikTok had “clandestinely vacuumed up and and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile, and track the location and activities of users in the United States now and in the future”, an accusation that ByteDance denies.

The app is already banned by both the US Army and the US Navy due to security concerns.

“There has long been much scrutiny over the way TikTok handles its own security and the way it looks after the privacy of its users, which naturally attracts attention from criminal groups as well as nation-state actors,” said Jake Moore, a cyber security advisor at the software firm ESET.

“Whether this turns out to be truly private data causing every account to be potentially vulnerable or just open information from the site, users must make sure they have security alerts activated within the app and two-factor authentication turned on, as well as ensuring that their password used on the account is unique to any other account.”