Details from the platform are scarce for now, but two experts weigh in on what users can do in the meantime

This week, social media platform TikTok reported a security breach that had compromised multiple high-profile accounts, including those of Paris Hilton, CNN, and Sony.

Exact details of the cyberattack or the firm’s mitigation measures have not been divulged so far. What is known is that the attack involved malware transmitted via direct messages on the chat platform.

The malware had the ability to strip content owners of access to their assets, but the agenda of the attack was unclear as none of the affected accounts had any content posted.

What should users of the platform do while more details are officially revealed to the public? According to Pete Nicoletti, Global Field CISO, Check Point Software Technologies, there have been multiple reported hacks of the platform in the last few years. “If you have a TikTok account, stop what you are doing and set up two-factor authentication before you open any Direct Messages! According to recent reports, the malware is transmitted through DMs within the TikTok app, and it does not require a download, click or response beyond just opening any direct message,” he said.

When Ray Kelly, Fellow, Synopsys Software Integrity Group heard about the attack, he reminisced about a similar attack — by the “Samy worm” targeting one of the earliest social networking services, MySpace, in 2005. “That event was the first widely known instance of a self-propagating worm on a social media platform, and (it) underscored the critical importance of input validation in web applications. While that hacker was merely having some fun by posting (JavaScript code that was posted as a status update that used cross-site scripting to do the damage), the TikTok bad actors seem to have more malicious intentions, aiming to take over accounts and wreak havoc on high-profile users using DMs to propagate the malware.”

Kelly opined that the term “malware” may not be the right term for the TikTok breach, but rather, “malicious code or script” as the attack did not require clicking on anything in the DM.