TikTok, once again became under scrutiny about its data protection as it store the billion of users personal information. Cybersecurity researcher on discovered a potential data breach in Chinese video app TikTok, allegedly involving up to 2 billion user database information. Only days earlier, Microsoft Corp. said it had found a high-severity vulnerability in TikTok’s Android application, which would have allowed attackers to compromise users’ accounts with a single click.
Several cybersecurity firms tweeted about the potential data breach
The firms tweeted about the discovery of a breach of an insecure server that allowed access to TikTok’s storage, which they believe contained personal user data.
This is your forewarning. #TikTok has reportedly suffered a #data #breach, and if true there may be fallout from it in the coming days. We recommend you change your TikTok #password and enable two factor authentication, if you have not done so already. We’ve reviewed a sample of the extracted data. To our email subscribers and private clients, we’ve already sent out warning communications.
BeeHive CyberSecurity Tweet
Troy Hunt, creator of data breach information site haveibeenpwned, posted a thread on Twitter to verify if the sample data is genuine or not. For him, the evidence is so far pretty inconclusive. Who would have thought that TikTok would decide to store all their internal backend source code on one Alibaba Cloud instance using a trashy password? how easily they could download the data. BlueHornet | AgaisntTheWest posted all the details on breached forums.
That makes it an enticing target for hackers who may seek to hijack popular accounts or resell sensitive information. It was identified as a privacy threat by the Trump administration in 2020 and nearly banned because of concern about potential links between its Beijing-based parent company and the Chinese government.
TikTok denies any data breach or being hacked
In response to these allegations, TikTok said its team found no evidence of a security breach.
We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.
Maureen Shanahan – TikTok Spokesperson
Troy Hunt, an Australian web security consultant, went through some of the data samples listed in the leaked files and foundmatches between user profiles and videos posted under those IDs. But some details included in the leak were publicly accessible data that could have been constructed without breach.
This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It’s a bit of a mixed bag so far.
Troy Hunt Tweet
A day earlier Microsoft 365 Research Team just discovered a bug in the TikTok app
Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise users’ accounts with a single click.
Microsoft 365 Defender Research Team just discovered a vulnerability in the TikTok app for Android that can let hackers take over private, short-form videos of millions of users once they clicked on a malicious link. It may have allowed attackers to access and modify TikTok profiles and sensitive information, such as by publicizing private videos, sending messages and uploading videos on behalf of users.
Dimitrios Valsamaras – Microsoft 365 Defender Research Team
A TikTok spokesperson said the company had responded quickly to Microsoft’s findings and fixed the security flaw, which was found in some older versions of the Android app. The claims of a breach discovered over the weekend were incorrect. Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.
However inconclusive or small the issues may be, there will be intense focus on TikTok and its parent firm at a time when the US may step up its measures against businesses with links to China. In June, nine US senators wrote a public letter to TikTok’s chief executive officer asking him to explain alleged security breaches.
President Joe Biden is expected to sign an executive order that would restrict US investment in Chinese tech companies and separate action targeting TikTok is a possibility, with the administration paying close attention to whether the Chinese government has access to American customer data. The company has told US lawmakers that it has taken steps to protect that data through a contract with Oracle Corp.
There’s a lot of attention on the way TikTok operates and there’s a big gap between how it operates and how it says it operates. It had found excessive data harvesting carried out by TikTok on user devices, that the app checks device location at least once an hour and it has code that collects serial numbers for both the device and the SIM card.
Robert Potter – CEO of Australian-US cybersecurity firm Internet 2.0
The report received wide attention in Australia, and Clare O’Neil, the new Minister for Home Affairs, announced on Monday that she has ordered her department to investigate what data TikTok acquires and who can access it.