A severe “one-click” TikTok hack that Microsoft discovered and reported to the social media giant was reportedly patched without incident, but a hacker has popped up on an underground forum to claim that they have stolen data for sale. The attack impacts the Android app version of the service and allows for an account takeover when a victim clicks on a malicious URL.
If the hacker’s story is to be believed, the information from two billion profiles could have been stolen. However, the evidence is thin at this point. Microsoft says that there is no evidence that the TikTok hack was ever used in the wild, and TikTok says that it has found no evidence of a breach.
TikTok hack put billions of accounts at risk, but evidence of public exposure remains thin
Microsoft’s 365 Defender Research Team discovered the account takeover vulnerability and reported it to TikTok in February of this year, but only recently disclosed it to the public. TikTok said that it patched the issue immediately after becoming aware of it. The vulnerability is present in versions of the Android app prior to 23.7.3, and TikTok users with automatic updates enabled (or those that have downloaded the app since March 2022) should already be protected. It was also present in all global versions of the app, including the ones specifically designed for select nations in Asia.
After account takeover bug reported, hacker claims exposed data for over a billion users, offers it for sale
Initially it appeared that this was a simple case of a serious vulnerability being discovered internally, patched and then acknowledged when it was safe months after the fact. Then a threat actor popped up on an underground forum claiming that they had exploited a TikTok hack that had allowed them to steal 34GB of user data.
It is not entirely clear if the attacker is claiming use of the account takeover vulnerability to steal the data, but they purported to have about 1.37 billion user records for sale (nearly the total count of estimated Android app users) and appeared with the offer not long after the vulnerability was disclosed to the public.
The offer appeared on the underground “Breach Forums” message board, posted by a user calling themselves “AgainstTheWest.” They indicated that they were considering either selling the data or simply dumping it to the public.
Security researchers are not convinced that this came from a legitimate TikTok hack or that account takeovers were involved, however, at least at first look at the available evidence. Have I Been Pwned owner Troy Hunt, a professional security researcher, analyzed the 237 MB sample of data the threat actor provided and did not see clear evidence tying it to a new breach. He said that some of the included data was already publicly available, and other portions of it were junk or test data.
Davey Winder, security researcher and senior cybersecurity contributor for Forbes, recently conducted a deeper dive into the purported TikTok hack and echoed the results of the Have I Been Pwned analysis. Winder added that the data included in the sample appeared to come from a third-party marketing firm that works with TikTok, something that has since been supported by statements from TikTok themselves. Bob Diachenko, another prominent cybersecurity analyst, has added that he believes the data came from a marketing company based in Hangzhou City, China. It is unclear exactly how much user information this firm had access to.
Though there are not yet any signs of successful account takeover and TikTok is not recommending any special security steps at this time, users may want to enable two-factor authentication (2FA) on their accounts out of an abundance of caution. TikTok is coming off of a potentially more concerning incident over the summer, in which it was revealed that engineers in China have extensive access to foreign user accounts despite promises from the company that would no longer happen. TikTok also experienced a third-party data leak in 2020, though this included profiles from other services such as Instagram and YouTube and did not potentially impact nearly as much of its user base.