It was possible to extract this data due to a vulnerability in an internal API.
428 million unique TikTok user records were reportedly stolen through the exploitation of an internal API vulnerability.
According to Hackread, included in the stolen dataset were individuals' email addresses, mobile numbers, TikTok user IDs, usernames, nicknames, biographies, avatar URLs, profile links, account flags, and other metrics.
"Normally, TikTok doesn't provide any public API to access private data like emails or phone numbers, but a while ago, due to a vulnerability in one of their internal APIs, it was possible to extract this data," Often9 claimed.
While there has been some skepticism regarding the legitimacy of the dataset, which included numerous empty or generic email and phone number fields, most of the exposed data analysed by Hackread was noted to have been observed in less than two other breaches
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
