TikTok, the world’s most popular short video app, has denied it suffered a data breach and that its source code and user data were stolen. The denial from the company comes after several cybersecurity analysts tweeted on Monday about the app becoming a data breach victim over the weekend.
The news of the supposed hacking of TikTok first appeared on the Breach Forums message board on Friday when a hacktivist group ‘AgainstTheWest’ (ATW) claimed to have found security breaches in TikTok and WeChat.
The group published screenshots of an alleged database belonging to TikTok and WeChat, which the hacker claims had access to an Alibaba cloud instance containing data for both the app users.
The threat actor says this server contained 2.05 billion records in a massive 790GB database, which includes user data, platform statistics, software code, cookies, auth tokens, server info, and much more. The hacker also stated that it hadn’t yet decided whether to leak the data or sell it publicly. It even went on to publish links to two data samples and a video of one set of database samples.
TikTok denies AgainstTheWest’s hacking claims and said that all the allegations are false. The company also added that the source code shared on hacking forums is not a part of its platform.
“This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code, which has never been merged with WeChat data,” TikTok told BleepingComputer in a statement.
TikTok confirmed the presence of some data to BleepingComputer but also added that the leaked user data could not result from a direct data scraping activity of its platform, as the company has adopted adequate security measures to avoid automated scripts from collecting user information.
Troy Hunt, the creator of the HaveIBeenPwned data breach notification service, tested the leaked data and found some matches confirmed in a Twitter thread that the data breach is valid. However, he also found that some of the leaked details were already publicly available, which does not require a breach for access.
“This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It’s a bit of a mixed bag so far,” Troy tweeted.
This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It's a bit of a mixed bag so far.
— Troy Hunt (@troyhunt) September 5, 2022
Similarly, Bob Diachenko, the popular data breach hunter, and his team, who examined the publicly exposed data have confirmed its authenticity, but they are unable to establish the origin.
OK, #TikTokBreach is real. Our team analyzed publicly exposed repos to confirm partial users data leak. pic.twitter.com/8ygcRKBMc3
— Bob Diachenko ?? (@MayhemDayOne) September 5, 2022
Only days earlier, the Microsoft 365 Defender Research Team had revealed that they had discovered a “high-severity vulnerability” in TikTok’s Android application, which allowed attackers to hijack a user’s account with a single click. The vulnerability was already fixed by TikTok before the details were published.
