Coupled with previous US shows of distrust against China-owned digital giants, this latest (possible) breach could be used for political mileage

This week, up to two billion TikTok users’ personal data were alleged to have been easily exfiltrated by malicious actor who had presumably cracked a weak password securing the data.

Only recently, in response to allegations that the Chinese firm’s employees were accessing or exploiting the data of their American users, their parent company ByteDance had been migrating data over to Oracle Cloud instead. And now this supposed breach (as predicted) has happened.

Photos of the leaked data being offered for sale in the Dark Web have been circulating, and there is speculation that the data may have come from a third party supplier associated with TikTok. This possibility would reaffirm concerns voiced by cybersecurity experts over supply chain risks.

According to Benjamin Harris, CEO, watchTowr: “As details emerge around how the breach may have occurred—possibly a weak password on a database server exposed to the Internet—it is a stark reminder that organizations, even those with technical prowess and massive engineering teams, still struggle to understand what they are exposing to the Internet, and thus how they are exposing consumer data.”

Although embarrassing for ByteDance, the exposure of such a trove of private data ultimately hurts the consumer significantly more, Harris said. “It appears that the TikTok breach is real, and may have been sourced from third-party data before being leaked onto the Dark Web. Ultimately in situations like this, the consumer pays the price, with their data irreversibly exposed to the world.” Regardless, TikTok and everyone reading this story is reminded to rotate and change access passwords regularly using best practices, and demand multi-factor authentication/login alerts from their service providers, among other social media safety measures.