More than 400GB of public and private profile data for 214 million social-media users from around the world has been exposed to the internet – including details for celebrities and social media influencers in the U.S. and elsewhere.
A cloud misconfiguration by SocialArks, the High-flying and rapidly growing Chinese social media management company lead to the exposure of this data.
Safe Detectives Team (www.safetydetectives.com – world’s largest antivirus review website) found the ElasticSearch server to be publicly exposed without password protection or encryption, during routine IP-address checks on potentially unsecured databases.
The lack of security apparatus on the company’s server meant that someone in possession of the IP address of the server might have accessed a database containing private information for millions of people.
Personally identifiable information (PII) was found in the company’s unsecured ElasticSearch database from at least 214 million social media users around the world, utilizing both populist consumer channels such as Facebook and Instagram, as well as specialist networks such as LinkedIn.
Headquartered in both Shenzhen and Xiamen, Socialarks is a sprawling company with more than 10 regional branches spread across southern China including populous hotspots such as Beijing, Shanghai, Shenzhen, Guangzhou, Ningbo and Suzhou.
According to Socialarks, the company is a “cross-border social media management company dedicated to solving the current problems of brand building, marketing, marketing, social customer management in China’s foreign trade industry”.
In order to carry out automated and reliable marketing for different companies across China, the company uses a data management platform (DMP) and has introduced both iOS and Android applications in recent years.
The Socialarks server included scrapped profiles, collected from Facebook, Instagram and LinkedIn, of more than 214 million social media users.
Data scraping is a way of extracting a website from private information.
While it is not illegal to scrap data, it is against the terms and conditions of major social media firms.
More than 408GB of data and over 318 million documents were stored in the leaked database.
Each record included public data scraped from Instagram influencer accounts, including their biographies, profile photos, follower totals, location settings, as well as personal information in the form of email addresses and phone numbers, such as contact details.
Socialarks suffered a similar data breach in August 2020 leading to data from 150 million LinkedIn, Facebook and Instagram users being exposed.
Almost as a carbon-copy, August’s database breach revealed reams of personal data from 66 million LinkedIn users, 11.6 million Instagram accounts and 81.5 million Facebook accounts.
Tech expert Trevor Long said the apparent size of the database of scraped information made it “one of the most significant we’ve seen”.
He said issues could arise when data from several online sources were amalgamated.
“I think situations like this are reality checks for people – you’ve got your email over there and your phone number over there, but using data-scraping tools, all that information can be brought together in one place,” he said.
“I think that’s the risk people don’t normally see.”