Over 200 Million Facebook, Instagram and LinkedIn Profiles Exposed Through Unsecured Database Held by Chinese Startup

Chinese social media management company Socialarks leaked personally identifiable information (PHI) of over 200 million Facebook, Instagram and LinkedIn users, according to researchers from SafetyDetectives. The data leaked trough an unsecured ElasticSearch harbored 408GB of personal data of regular users, social media influencers and even celebrities.

Investigators found that the leaked data appeared to have been scraped from popular social media platforms, in violation of the terms of service of the social media giants.

The leaky database included the following information:

  • 81,551,567 Facebook account profiles
  • 66,117,839 LinkedIn user profiles
  • 11,651,162 Instagram aficionados accounts

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!

Researchers also noted that an additional 55.3 million Facebook user profiles were deleted hours after their discovery.

“From the leaked data we discovered, it was possible to determine people’s full names, country of residence, place of work, position, subscriber data and contact information, as well as direct links to their profiles,” SafetyDetectives explained.

The exposed information for each social media platform varies, but it paints a complete picture of the user’s profile that could allow threat actors to choose their most profitable targets.

Leaked Instagram user accounts revealed full names, over 6 million phone numbers, 11 million email addresses, profile links, pictures, profile descriptions, number of followers, country of residence and most frequently used hashtags.

The Facebook account information shows similar information, alongside Like, Follow and Rating count, Messenger ID and profile description.

In the case of LinkedIn profiles, the records exposed user job profile, job title and seniority level, company name and revenue margin together with the full name and email address of users.

Although some scraped personal information did not fully expose data for all users, the investigators noticed that the database contained phone numbers and email addresses for users who opted not to make the information public on their profiles.

“Socialarks’ database stored personal data for Instagram and LinkedIn users such as private phone numbers and email addresses for users that did not divulge such information publicly on their accounts,” the report reads. “How Socialarks could possibly have access to such data in the first place remains unknown.”

The China-based company suffered a similar data breach in August 2020, which exposed information on 150 million LinkedIn, Facebook and Instagram users. Investigators said the unsecured server was discovered on December 12, 2020. Two days after confirming the origin of the database, the cybersecurity team contacted Socialarks to disclose the breach.

“The company did not respond to our correspondence but the server was secured on the same day,” SafetyDetectives added.

The leak and unethical scraping of user data poses a serious security risk to exposed users. The information could be “weaponized to carry out a specific goal of extracting personal information for criminal purposes,” the report warned. “Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking.”