As many as 235 million users across a variety of services have had their personal details scraped into and exposed by four separate databases. That’s according to a recent report from The Next Web, which says the data came from profiles across three services. Three of the databases were discovered by Comparitech lead researcher Bob Diachenko. That was back on August 1, while the fourth appears to have been detailed by the former company behind the scrape.
Those were stored, the researcher indicates, with no password or other protections in place. In each case, the databases were identical. So, in effect, there were potentially four separate databases in place. All of which exposing the same users’ data to anybody who could find it on the web.
Which services were impacted by this and what is a scrape anyway?
Now, according to Mr. Diachenko and the rest of the research team behind the discovery, the data wasn’t scraped by four separate companies. Instead, in this case, the data of all 235 million users was scraped out and exposed by just one entity. That’s the former data aggregating analytics firm Deep Social.
And it wasn’t just one company the data was scraped from either. For clarity, scraping is not illegal in any sense — Deep Social is even noted as being GDPR-compliant in at least one short description found online. Although it is frowned on by most prominent social networking platforms.
In fact, it is essentially a means to pool data from a variety of services for analytics. So it’s all data that users made publicly available on the services it was scraped from. In this case, that includes YouTube, TikTok, and Instagram — likely from both apps and the web. And, in this case, that includes data ranging from names, contact info, and images to menial statistics such as the number of followers a user has. Age, gender, and other similar details were also included.
How long was the scraped data of 235 million users exposed?
As noted above, none of the details reportedly pooled into the protected databases was necessarily hidden, to begin with. Particularly where YouTube is concerned. Instagram and TikTok do a bit more to protect users from those who don’t have accounts. But, for the most part, those details would have been available anyway for anybody with Internet access.
So this isn’t necessarily as big a deal as a hack or security breach. Although it would probably be more comforting if more companies did more to protect this kind of information. And if Deep Social had secured the data in any form or fashion. It’s not immediately clear how long the information was exposed before discovery.