A well-known and fast-growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers.
Socialarks company is a “cross-border social media management company dedicated to solving the current problems of brand building, marketing, social customer management in China’s foreign trade industry”.
The leak stems from a misconfigured ElasticSearch database contained personally identifiable information (PII) from at least 214 million social media users from around the world, using both populist consumer platforms such as Facebook and Instagram, as well as professional networks such as LinkedIn.
Experts found the ElasticSearch server to be publicly exposed without password protection or encryption, during routine IP-address checks on potentially unsecured databases.
The lack of security apparatus on the company’s server meant that anyone in possession of the server IP-address could have accessed a database containing millions of people’s private information.
The affected database contained a “huge trove” of sensitive personal information to the tune of 408GB and more than 318 million records in total, according to Anurag Sen, head of the Safety Detectives cybersecurity team.
What was Leaked?
Socialarks’ server contained scrapped profiles of more than 214 million social media users, obtained from Facebook, Instagram and LinkedIn.
The database contained more than 408GB of data and more than 318 million records. The numbers of profiles affected in the data leak:
- 11,651,162 Instagram user profiles
- 66,117,839 LinkedIn user profiles
- 81,551,567 Facebook user profiles
Additionally, 55,300,000 Facebook profiles were instantly deleted within a few hours after the detection.
The Instagram index contained popular personalities and online celebrities. High-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers were found.
Instagram records exposed the following details:
Full name, Phone numbers for 6+ million users, Email addresses for all 11+ million users, Profile link, Username, Profile picture, Profile description, Average comment count, Number of followers and following count, Country of location, Specific locality in some cases and Frequently used hashtags.
The leak exposed 81.5 million Facebook user profiles with over 40 million exposed phone numbers and a further 32 million email address entries. Particularly, most of the phone numbers discovered were originated from pages and not individuals.
Facebook records exposed the following details:
Full name, ‘About’ text, Email addresses, Phone numbers, Country of location, Like, Follow and Rating count, Messenger ID, Facebook link with profile pictures, Website link and Profile description.
Nearly 66.1 million LinkedIn user profiles with 31 million leaked email addresses were found.
LinkedIn records exposed the following details:
Full name, Email addresses, Job profile including job title and seniority level, LinkedIn profile link, User tags, Domain name, Connected social media account login names e.g., Twitter Company name and revenue margin.
Data breach impact
Data scraping is a means of extracting private information from a website. Most data scraping is completely harmless and carried out by web developers, business intelligence analysts, honest businesses such as travel booker sites, as well as being done for market research purposes online.
However, if such data is stored without adequate cybersecurity, large leaks will affect millions of people.
In SocialArks’ case, private information was obtained from multiple sources and supplemented with scraped data. Moreover, the company’s server had insufficient security and was left completely unsecured.
Contact information can be used to target people with targeted scams including sending personalised emails containing personal information about the target, thereby gaining their trust, and setting the stage for a deeper intrusion into their privacy.
Sharing personal information can be weaponized by wicked hackers to launch “mass attacks”.
Preventing Data Exposure
- Be cautious of what information you give out and to whom
- Check that the website you are on is secure (look for https and/or a closed lock)
- Only provide what you feel confident which cannot be used against you
- Create secure passwords by combining letters, numbers, and symbols
- Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
- Double-check any social media accounts to ensure that the privacy of your posts and personal details are visible only to people you trust
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
- Learn more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware.