Incident Of The Week: Social Media Data Scraped And Found Unprotected Online

[Records Exposed: 235 million |  Industry: Social Media  |  Type Of Attack: Scraping]

A database of 235 million social media profiles were found unsecured by researchers with Comparitech. While data scraping is technically legal, it goes against the terms of use for the brands affected.

The Facts:

Data scraping is the act of moving information from a website into an actionable form like an Excel spreadsheet or computer file. Such a technique can be benign under certain paradigms. For example, travel comparison sites like Trivago and Kayak deploy a program that scrapes hotel and airline sites for rates which it compiles on their website. Data scraping is commonly used by marketers to paint a clearer picture of their target base and advertise to them accordingly.

However, social media data scraping and aggregating is an effective way for hackers to quickly and easily scale phishing schemes and engage in fraudulent activities. Additionally, scraped data can be sold to companies who engage in spam practices as a means of advertising. Although spam remains legal in most jurisdictions, it is condemned as a legitimate marketing strategy. Finally, data scraping is commonly used on social media sites to steal content from influencers and repost it under a fraudulent account. It is for this reason that Facebook and Instagram banned the now defunct data scraping company, Deep Social, in 2018.

Related: How To Preemptively Track Phishing Campaigns

On August 1, Bob Diachenko, security researcher with Comparitech, found a database of almost 235 million social media profiles that weren’t protected by a password or authentication measures. The guilty party, Social Data—who claims not to be affiliated with Deep Social—scraped TikTok, YouTube, and Instagram for data including names, contact and personal information, and profile pictures. When confronted, Social Data removed the data and included this statement to Diachenko in an email:

“Please, note that the negative connotation that the data has been hacked implies that the information was obtained surreptitiously. This is simply not true, all of the data is available freely to ANYONE with Internet access. I would appreciate it if you could ensure that this is made clear. Anyone could phish or contact any person that indicates telephone and email on his social network profile description in the same way even without the existence of the database. […] Social networks themselves expose the data to outsiders – that is their business – open public networks and profiles. Those users who do not wish to provide information, make their accounts private. [sic]”

Regardless, scraping goes against social media policies and can be dangerous for the reasons stated above. Social media brands have and are continuing to actively fight against scraping activities using both the law and technology. However, it is difficult for systems to distinguish between a scraper and an authentic website visitor.

Lessons Learned:

COVID-19 and work-from-home solutions is opening the door to threat actors in new and creative ways. The lines between work and home are being blurred in ways that go beyond pajama pants and bedroom offices. Employees are switching back and forth between personal and business accounts—or worse, using both accounts for both purposes—and don’t always practice cyber security hygiene.

Related: Cyber Security Tactic & Strategy

Additionally, telecommuters are communicating digitally across multiple platforms. With so much overlap, something as innocuous sounding as social media data scraping opens a door that otherwise is closed. It is easy to become desensitized to yet another email, which gives clever phishing schemes a greater chance of succeeding. Communicating with fellow employees through social media or posting status updates about the workplace creates additional phishing fodder.

Phishing is a numbers game. With the 250 million scraped social media accounts, hackers can set up a phishing bot to send out massive amounts of fraudulent messages with the click of a button. Enterprises must actively engage their employees in cyber security training, testing, and auditing even as so many of those employees work from home.

Quick Tips:

While scraping remains legal, there are simple steps individuals can take to protect their social media accounts from phishing attempts and spam.

1. Set Social Media Accounts To Private – Web scraping bots can only view public information and data.
2. Delete Friends You Don’t Know – Scraper bots follow social media accounts en masse in order to scrape your private, inside information. Don’t friend people you don’t know and/or can’t trust, and check your current list of friends and followers for accounts that appear fake.
3. Keep Business And Personal Separate – At the very least, be sure to use business accounts for business uses and vice-versa. While coworkers are often friends, all work talk should be kept off of social media. Telecommuting best practices go so far as to suggest using one browser for work and a different browser for personal.

Read More: Incident Of The Week