Security researchers from Safety Detectives discovered an unsecured ElasticSearch server containing scraped social media profiles taken from Instagram and TikTok. The leaky database, which belonged to the social media analytics site IGBlade.com, reportedly exposed more than 2.6 million records of user accounts. The records contained screenshots and URLs to social media profile pictures and other forms of scraped personal data.
IGBlade’s server contained different types of personal data, including users’ full names, usernames of social media handles, images, picture links, users’ bio, email addresses, contact numbers, location, media counts, followers count, and engagement rate metrics.
“IGBlade’s server was live and being updated at the time of discovery. The size of IGBlade’s breach suggests more than 2 million social media users could be immediately affected by the leaked content of the server. We found several examples of high-profile accounts on the server too. Prominent influencers, such as food bloggers, celebrities, and social media influencers, all featured. Public forms of data for huge, verified celebrity accounts, such as Alicia Keys, Ariana Grande, Kim Kardashian, Kylie Jenner, and Loren Gray, had all been scraped and stored on IGBlade’s open ElasticSearch server,” the researchers said.
Impact of the Leak
The leaked content from the unsecured server could impact both the company and social media users. Threat actors often misuse scraped or leaked data for various cybercriminal operations like identity thefts and financial fraud.
Is Data Scraping Legal?
Certain social media companies allow third-party vendors and web developers to scrape users’ data for market research purposes. However, some social media companies like TikTok and Instagram don’t allow data scraping methods on their platforms.
The discussion around data scraping practices has been making rounds for a while. While the security community feels the practice makes user data vulnerable, data brokers argue that scraping publicly available data is legal. Earlier, Facebook Ireland imposed legal action against two people in Portugal for scraping users’ personal information from their Facebook pages.