Final week, Microsoft revealed a vulnerability within the TikTok Android app that menace actors doubtlessly may have exploited to hijack TikTok person accounts with a single click on. Luckily, TikTok patched the vulnerability earlier this yr earlier than its disclosure. Nevertheless, shortly after Microsoft publicly disclosed the vulnerability, a Breach Boards person claimed to have entry to a server containing 6.7TB of information stolen from TikTok, in addition to the Chinese language messaging app WeChat. Whereas TikTok nonetheless seems to be conducting an investigation into the matter, the corporate has denied any claims that it was topic to an information breach.
An unknown actor with the username “AgainstTheWest” introduced the supposed breach on Breach Boards, a hacking discussion board that features as a successor to RaidForums, which US regulation enforcement seized again in February. In July, a Breach Boards person by the identify of “ChinaDan” introduced the theft of one billion information from the Shanghai Nationwide Police database. This breach marked China’s largest knowledge breach in historical past. Nevertheless, solely a pair months later, AgainstTheWest claimed to have proof of a fair bigger breach exposing TikTok and WeChat person knowledge and supply code. The person posted samples of allegedly stolen TikTok and WeChat knowledge as proof of the breach’s authenticity.
The info samples puzzled cybersecurity analysts who discovered that the samples included info that was already publicly obtainable blended with empty tables and knowledge that appeared clearly pretend. These analyses referred to as into query the declare that TikTok and WeChat had been breached. Not lengthy after cybersecurity analysts carried out these preliminary investigations, TikTok shared the outcomes of its personal preliminary investigation, telling BleepingComputer that the declare of a TikTok breach was false: “That is an incorrect declare — our safety crew investigated this assertion and decided that the code in query is totally unrelated to TikTok’s backend supply code, which has by no means been merged with WeChat knowledge.”
Restored Breach Boards publish asserting the information breach
AgainstTheWest responded to TikTok’s assertion by deleting the discussion board publish asserting the breach. Nevertheless, pompompurin, the proprietor of Breach Boards, banned AgainstTheWest and restored the discussion board publish, saying that AgainstTheWest was both mendacity in regards to the TikTok breach or didn’t examine the allegedly stolen knowledge earlier than claiming to own knowledge obtained from a TikTok breach. Whereas it appears that evidently TikTok wasn’t straight breached, the precise supply of the information continues to be unclear.
The info samples embrace person info that TikTok deliberately makes publicly obtainable, however not within the type of an simply readable database. One chance is that the information was scraped from TikTok’s public-facing web site. Nevertheless, TikTok informed BleepingComputer that it has safety safeguards in place to cease automated scripts from scraping its platform to gather person info. One other chance is that the information was scraped or stolen from a third-party platform that integrates with TikTok.
A TikTok spokesperson made an announcement to Forbes that lends credence to this principle: “Our safety crew has discovered no proof of a safety breach. We have now confirmed that the information samples in query are all publicly accessible and usually are not attributable to any compromise of TikTok methods, networks, or databases. The samples additionally seem to include knowledge from a number of third-party sources not affiliated with TikTok.” After digging by way of the information that seems to have come from third-party sources, cybersecurity analyst Bob Diachenko acknowledged on Twitter that the “Knowledge is prone to come from Hangzhou Julun Community Expertise Co., Ltd quite than TikTok.” We’ll must see whether or not additional investigations affirm this conclusion.
