The most recent TikTok data breach happened in August 2020, when an unsecured database controlled by a third party company exposed 235 million social media profiles. This information had been obtained through scraped data, and did not result from a major breach to TikTok itself.
As far as we can tell, there have been no known TikTok breaches since August, 2020. Below, you’ll find a full timeline of TikTok data breaches and security incidents, starting with the most recent.
August 2020: 235 Million Social Media Profiles Exposed in Data Leak
In August 2020, the security company Comparitech discovered an unsecured database that held profile data from 235 million TikTok, Instagram, and YouTube accounts. Once they found the information, they notified the administrator of the database and announced the incident to the press.
The database was fully readable to anyone who connected, requiring no password for access and lacking encryption. Within the data cache was details scraped from various social media accounts, including mainly account holder names, ages, genders, and profile images records. However, some records also featured email addresses and phone numbers.
The data leak featured information that was initially collected by Deep Social, a company that had scraped social media profile data. While data scraping isn’t illegal, it does violate the terms and conditions on many social media platforms.
Although Deep Social shut down in 2018, the database was taken over by another company, named Social Data. It’s unclear how long this trove of personal data was exposed before Comparitech discovered it in August, 2020.
August 2020: Class Action Lawsuit Filed Over Allegations of Improper Personal Data Collection on 89 Million Users
In August 2020, a set of US-based lawsuits targeting TikTok were combined into a class-action suit. The suits all involved the improper collection of personal data, focusing heavily on data collected from children, some of which were as young as six years old.
Along with harvesting personal data on approximately 89 million users, TikTok was accused of gathering facial recognition data without user consent. Additionally, the allegations state that TikTok shared that data without user consent as well.
In February 2021, TikTok agreed to a $92 million settlement to compensate impacted users. However, the company continues to disagree with the assertions within the suit, saying that the settlement was a means of avoiding litigation, allowing TikTok to focus on creating a safe and welcoming environment for users.
However, TikTok’s legal woes regarding the practice are ongoing. A UK and EU claim filed on behalf of children in those regions was reported on in April 2021. Suits in other countries may also arise, extending the timeframe before the incident is fully resolved.
February 2019: TikTok Fined $5.7 Million for Muscial.ly’s Violations of Child Privacy Laws
In February 2019, the FTC – levying the largest civil penalty for a violation of the Children’s Online Privacy Protection Act at the time – fined TikTok $5.7 million for child privacy violations that occurred on Musical.ly, a social media app that merged with TikTok.
The FTC states that Musical.ly displayed personal information on children under the age of 13 and collected data on the children without obtaining parental consent. Along with requiring first and last names, profile pictures, and a biography, the app defaulted to making profiles public.
Additionally, setting a profile to private still left profile pictures and bios visible to all users and didn’t limit DMs, allowing anyone to send the user messages. Further, until October 2016, Musical.ly had a feature that allowed users to see which other users were within a 50-mile radius.
While the incident pre-dated the August 2018 merger of Muscial.ly and TikTok, the responsibility fell on TikTok. As a result, TikTok agreed to pay the $5.7 million fine for the activity.