TikTok Data Breaches: Full Timeline Through 2022

In September 2022, a hacker claimed to have breached TikTok. But the social media app has disputed this breach, as have other credible sources. As of September 6, it appears the hacker was only able to access publicly available data.

Below, you’ll find a full timeline of TikTok data breaches and privacy violations, starting with the most recent.

September 2022: Alleged TikTok Breach Appears to Be False Alarm

On September 3rd, a hacker going by the alias “AgainstTheWest” claimed to have breached TikTok on Breach Forums. However, TikTok has disputed the breach, stating that “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases.”

They aren’t the only ones to dispute this hacker’s claims. Troy Hunt, creator of Have I Been Pwned, investigated the data and deemed it “inconclusive”. And the owner of Breach Forums, the hacker “pompurin”, banned AgainstTheWest for lying about multiple data breaches:

Please note that the breach is not from TikTok, and that he most likely was lying or didn’t even investigate it before making such outrageous claims. AgainstTheWest has had a long history of lying about breaches or other things (Saying he’s a State sponsored hacking group… lol) and this was just the tipping point.

As far as we can tell, the hacker scraped publicly available information from TikTok. But TikTok itself does not appear to have been hacked, and private data does not seem to have been leaked.

June 2022: Chinese TikTok Employees Found to Be Accessing American User Data, Contrary to Public Statements

In June 2022, Buzzfeed News reported that Chinese TikTok employees had accessed American user data, despite the company’s repeated assurances to the contrary. In 2021, for instance, a TikTok executive testified in Congress that American user data was tightly controlled, and overseen by a “world-renowned, US-based security team.” Internal documents showed otherwise: in one, a key employee noted that “Everything is seen in China.”

In recent years, TikTok has emphasized their efforts to contain “protected” data pertaining to Americans inside the United States. To that end, they’ve touted their dealings with Oracle, especially regarding a data center in Texas that supposedly holds all “protected” data.

But what data counts as “protected” is still nebulous, even within the company. And storing the data in the United States is one thing; if Chinese employees still have access to it, it’s hard to say that this data has been “contained” in any meaningful way.

Throughout the internal documents Buzzfeed News reviewed, it appeared data privacy was not as serious a concern as TikTok’s public statement had indicated. As one consultant noted, “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting.”

Following this article, FCC Commissioner Brendan Carr publicly called on Apple and Google to remove TikTok from their respective app stores. He cited concerns regarding the breadth of data TikTok harvests concerning its users, their repeated misrepresentations regarding so-called “protected” data, and the Chinese Communist Party’s history of conducting espionage through commercial entities.

August 2020: 235 Million Social Media Profiles Exposed in Data Leak

In August 2020, the security company Comparitech discovered an unsecured database that held profile data from 235 million TikTok, Instagram, and YouTube accounts. Once they found the information, they notified the administrator of the database and announced the incident to the press.

The database was fully readable to anyone who connected, requiring no password for access and lacking encryption. Within the data cache was details scraped from various social media accounts, including mainly account holder names, ages, genders, and profile images records. However, some records also featured email addresses and phone numbers.

The data leak featured information that was initially collected by Deep Social, a company that had scraped social media profile data. While data scraping isn’t illegal, it does violate the terms and conditions on many social media platforms.

Although Deep Social shut down in 2018, the database was taken over by another company, named Social Data. It’s unclear how long this trove of personal data was exposed before Comparitech discovered it in August, 2020.

August 2020: Class Action Lawsuit Filed Over Allegations of Improper Personal Data Collection on 89 Million Users

In August 2020, a set of US-based lawsuits targeting TikTok were combined into a class-action suit. The suits all involved the improper collection of personal data, focusing heavily on data collected from children, some of which were as young as six years old.

Along with harvesting personal data on approximately 89 million users, TikTok was accused of gathering facial recognition data without user consent. Additionally, the allegations state that TikTok shared that data without user consent as well.

In February 2021, TikTok agreed to a $92 million settlement to compensate impacted users. However, the company continues to disagree with the assertions within the suit, saying that the settlement was a means of avoiding litigation, allowing TikTok to focus on creating a safe and welcoming environment for users.

However, TikTok’s legal woes regarding the practice are ongoing. A UK and EU claim filed on behalf of children in those regions was reported on in April 2021. Suits in other countries may also arise, extending the timeframe before the incident is fully resolved.

February 2019: TikTok Fined $5.7 Million for Muscial.ly’s Violations of Child Privacy Laws

In February 2019, the FTC – levying the largest civil penalty for a violation of the Children’s Online Privacy Protection Act at the time – fined TikTok $5.7 million for child privacy violations that occurred on Musical.ly, a social media app that merged with TikTok.

The FTC states that Musical.ly displayed personal information on children under the age of 13 and collected data on the children without obtaining parental consent. Along with requiring first and last names, profile pictures, and a biography, the app defaulted to making profiles public.

Additionally, setting a profile to private still left profile pictures and bios visible to all users and didn’t limit DMs, allowing anyone to send the user messages. Further, until October 2016, Musical.ly had a feature that allowed users to see which other users were within a 50-mile radius.

While the incident pre-dated the August 2018 merger of Muscial.ly and TikTok, the responsibility fell on TikTok. As a result, TikTok agreed to pay the $5.7 million fine for the activity.

Leave a Comment