Earlier this month, I reported how security researchers had uncovered a serious TikTok Hack vulnerability that could have exposed users to a 1-click account takeover exploit. That issue, impacting Android app users, has long since been patched by TikTok. However, just as TikTok users breathe a sigh of relief, reports that TikTok U.S. has been hacked have started circulating, first on an online data breach marketplace forum and then Twitter over the holiday weekend. A TikTok Hack spokesperson has told this reporter that no evidence of a security breach has been found. Security experts recommend that TikTok users change their passwords and ensure two-factor authentication (2FA) is activated anyway, out of an abundance of caution.
The TikTok hack allegations
The first reports of an alleged hack appeared on the Breach Forums message board on September 3. A user with the handle of AgainstTheWest posted what was claimed to be screenshots from a TikTok Hack and WeChat breach. In that posting, the user said, referring to the alleged stolen data, that they had “yet to decide if we want to sell it or release it to the public.” A link to two samples of the data was published, along with a video of one set of database tables. The poster further claims to have extracted 2 billion records from the database. In a September 3 Twitter posting, the user BlueHornet|AgainstTheWest also claims to have stolen “internal backend source code.”
TikTok says there’s no evidence of a security breach
I have reached out to TikTok Hack for more information and a TikTok spokesperson has told me: “TikTok prioritizes the privacy and security of our users’ data. Our security team investigated these claims and found no evidence of a security breach.”
An earlier statement, in a Bloomberg U.K. article, addressed the stolen source code allegation directly: “Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”
This leaves the question of where this data has come from still to be answered.
Troy Hunt, of data breach information site haveibeenpwned, posted a lengthy thread to Twitter in an attempt to verify if the sample data is genuine or not. His conclusion after much analysis is that the evidence is “so far pretty inconclusive.” Hunt goes on to say that there is some data that matches production info, but this is also publicly available anyway. He also found some ‘junk’ data but concedes this could be non-production or test data.
In a Hacker News forum thread, it has been suggested that the data looks like it came not from TikTok Hack itself but rather from a third party that integrates with TikTok for marketing or e-commerce purposes. However, it is far from clear at the moment whether third parties have access to this type of data in the first place, let alone if one has actually been breached.
Third-Party data in leaked samples a clue to ‘breach’ origins
September 6 Update:
The suspicion that the TikTok Hack data leak was actually a third-party database breach would seem to be all but confirmed now. A TikTok spokesperson has provided me with an updated statement that reads as follows:
“Our security team has found no evidence of a security breach. We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. The samples also appear to contain data from one or more third-party sources not affiliated with TikTok Hack. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.”
There had already been some suggestion from data breach experts that the samples shared by ‘AgainstTheWest’ comprised scraped data. That is publicly accessible data that has been collected, often by way of automated processes (bots), and compiled into a database for marketing or e-commerce use. The updated TikTok Hack statement confirms this to be the case. It is certainly not unusual for such scraped databases to include data from a variety of sources, and that is also confirmed by the mention of third-party data in the statement.
The data-scraping suggestion isn’t as straightforward as it might be, though. According to a Bleeping Computer report, a TikTok spokesperson told the publication that any leaked data couldn’t have come from “direct scraping” of the platform as TikTok Hack has “adequate security safeguards to prevent automated scripts from collecting user information.”
Further confirmation of the third-party connection, however, comes by way of Bob Diachenko, a cyber threat intelligence analyst well-known for his work on database leaks and breaches, who has tweeted following an analysis of the alleged TikTok Hack breach sample data. Diachenko says that the data is likely to come from a company based out of Hangzhou City, in the Zhejiang Province, China. I have tried to contact the company but have been unsuccessful so far.
In his latest Twitter posts on the subject, Troy Hunt has stated that he has yet to see anything that verifies a TikTok Hack breach. There are no “email addresses we can confirm the existence of via an enumeration vector (like password reset), Hunt tweeted, or “Password hashes that match accounts.”
Meanwhile, the ‘AgainstTheWest’ account on the breach marketplace forum where the supposed TikTok breach data samples were published has been banned. As well as deleting those posts, the forum administrators have stated they banned the user for “lying about data breaches.” Twitter has also suspended the BlueHornet|AgainstTheWest user account.
What should TikTok users do now?
Although the latest TikTok Hack statement advises that users don’t need to take any proactive actions there is no harm in having an abundance of caution. So, I would still recommend that TikTok users change their passwords and ensure they have two-factor authentication (2FA) activated as an extra layer of protection.
Jake Moore, the global cybersecurity advisor at security firm ESET, agrees, saying: “Although this data could purely be widely public data which has been scraped openly from the site, it still highlights the fact that the biggest social media platform in the world attracts criminal hackers and they will continue to be relentless and look for any vulnerability if it’s there. Whether this turns out to be truly private data causing every account to be potentially vulnerable or just open information from the site, users must make sure they have security alerts activated within the app and two-factor authentication turned on, as well as ensuring that their password used on the account is unique to any other account.”