A configuration failure in a database caused more than 400 GB of public and private information to leak, exposing 214 million users of Facebook, Instagram, LinkedIn and other social networks. According to the website Threatpost, celebrity accounts and influencers were also hit.
The data included profile pictures, number of followers and comments, location settings, contact information (email and phone) and professionals (company name and position) and most used hashtags, among others.
The server, owned by the Chinese company SocialArks, was without password protection or Encryption, revealed researchers from Safety Detectives. The flaw was discovered during a routine check on potentially vulnerable database IP addresses. This, in particular, contained more than 318 million user records:
"Our team of researchers was able to identify that all the leaked information was extracted from social media platforms, which is unethical and also a violation of the terms of service of Facebook, Instagram and LinkedIn," said the members of Safety Detective, after investigating the leakage in the networks.
In all, 11.651.162 Instagram user profiles, 66.117.839 on LinkedIn and 81.551.567 on Facebook were detected. Another 55.300.000 profiles of the social network of Mark Zuckerberg were deleted hours after the vulnerable server was discovered.
The researchers were surprised to find that the database stored private information, which users chose not to disclose publicly. “We don't know how SocialArks was able to access this information, obtain private data from several secure sources. In addition, the company's server was completely unprotected ”, they informed.
The company implemented security measures in the database that caused the leakage of data from social networks on the same day that the Safety Detectives team warned of the failure.
Similar Facebook glitch
This was not the first time that a SocialArks server has been affected by a leak. In August 2020, a similar failure affected 150 million Facebook, LinkedIn and Instagram users. Public data were also collected, such as names, country of residence, professional and contact information.