Popular short-form video app TikTok recently found itself having to refute claims that it had been hacked, and is continuing to rebut the charge.
According to BleepingComputer, as early as late last week, a hacking group known as AgainstTheWest, posted to a forum saying that it had hacked TikTok and a messaging app known as WeChat. The forum post also included screenshots, which were of “an alleged database belonging to the companies, which they say was accessed on an Alibaba cloud instance containing data for both TikTok and WeChat users.”
The most concerning thing about this security breach claim is that the server that was breached allegedly contains 2.05 billion records within a 790GB database which houses “user data, platform statistics, software code, cookies, auth tokens, server info, and many more.”
But on Monday, TikTok posted a tweet denying that it had been breached, saying that after its security team’s investigation into the hackers’ claims, it “found no evidence of a security breach.”
TikTok prioritizes the privacy and security of our users’ data. Our security team investigated these claims and found no evidence of a security breach. https://t.co/TdCZDUFLPN
— TikTokComms (@TikTokComms) September 5, 2022
TikTok also confirmed further details on the matter to The Verge, saying that TikTok users didn’t need to do anything and that “the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases.”
Additionally, Troy Hunt, a Microsoft regional director and creator of the Have I Been Pwned website, posted a tweet thread about the security breach claims. In the thread, Hunt tries to verify the claims and is able to match some of the data to “publicly accessible videos.” But while Hunt is able to do so, he still notes that the data itself is publicly accessible and therefore it’s still possible that it was “constructed without breach…”
But this is all publicly accessible data so it *could* have been constructed without breach, let's look further…
— Troy Hunt (@troyhunt) September 4, 2022
Ultimately, in terms of the alleged TikTok breach data, Hunt deemed the data “inconclusive.”
This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It's a bit of a mixed bag so far.
— Troy Hunt (@troyhunt) September 5, 2022
And in another development in the story of the hackers’ claim, BleepingComputer reported on Tuesday that the account that posted the breach claim on a hackers’ forum has now been banned from that forum. The account was apparently banned “for not properly investigating the breach” prior to posting about it.