Troy Hunt, the founder of Haveibeenpwnd, said evidence is ‘so far pretty inconclusive’
TikTok, the popular video-sharing app, has rejected reports claiming the platform has suffered a data breach.
Reports of TikTok US data breach began to spread on 3rd September, claiming that the personal data of millions of users was at risk.
According to Forbes, the initial claim surfaced on the Breach Forums message board.
A user going by the name AgainstTheWest posted screenshots from an alleged WeChat and TikTok security breach. They said they had not yet decided whether they wanted to sell the stolen data or release it to the public.
The user posted a link to two data samples, along with a video showcasing one set of database tables. The post went on to say they had extracted 2 billion records from the database.
Recommended: How to Repost TikTok Videos Without Watermark
In a tweet, the user BlueHornet|AgainstTheWest claimed they had stolen “internal backend source code”.
Who would have thought that @TikTok would decide to store all their internal backend source code on one Alibaba Cloud instance using a trashy password? — BlueHornet | AgainstTheWest (@AggressiveCurl) September 3, 2022
A number of cybersecurity experts tweeted about the alleged hack of an unprotected server that gave access to TikTok’s storage.
Australian online security expert Troy Hunt, founder of Haveibeenpwned, posted an extensive Twitter thread in an effort to determine if the sample data is genuine.
He examined a few of the data samples contained in the leaked files and discovered matches between user profiles and videos uploaded under those IDs. However, Hunt found that part of the data exposed was “publicly accessible data that could have been constructed without breach”.
He also discovered some “junk” data that may be a test or non-production data.
After extensive research, Hunt came to the conclusion that the evidence is “so far pretty inconclusive”.
Same with “sys_user_202209032248.csv”: pic.twitter.com/KBf2PgBcCx
— Troy Hunt (@troyhunt) September 5, 2022
A spokesperson for TikTok told Bloomberg that the breach allegations were untrue.
“Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code,” the spokesperson said.
The reports come only days after Microsoft said it had discovered a high-severity bug in TikTok’s Android app that would have enabled attackers to access users’ accounts with a single click.
The bug, tracked as CVE-2022-28799, was reported to TikTok in February and has now been fixed.
The TikTok app, which is owned by Chinese company ByteDance, has more than one billion monthly users and is a favorite among Gen Z.
That makes it a tempting target for hackers, who could try to hijack well-known accounts or sell private information.
The app has also drawn criticism in multiple countries over its alleged links to the Chinese government. In the USA, former president Donald Trump even attempted to ban TikTok by executive order.
Recommended: How To Recover Google Photos
In June, US FCC commissioner Brendan Carr urged Apple and Google to stop offering TikTok in their app stores, saying the app poses a serious national security risk and may send sensitive personal data to Beijing.
Last month, the UK Parliament closed its TikTok account, after a group of MPs and peers voiced concerns about the platform’s ties to the Chinese Communist Party and its treatment of user data.
