Over 300 million social account records, originating from several platforms including Facebook, Instagram and LinkedIn, were recently exposed through a massive data leak from the cloud of SocialArks. More than 400GB of public and private account data of about 214 million social media users across the world have been affected by this massive data leak.  Following the incident, the data, were spread across the internet including that of some well-known social media influencers and celebrities.

The data breach was caused by a misconfiguration of an ElasticSearch database owned by SocialArks, a company with HQs in China engaged in social profile management. It appears that the security measures applied to the database (hosted by Tencent) were very weak, in particular, the server connection to internet was not protected by a passwordthe data included in the database were not encrypted and the access to the data was lacking of sufficient controls. Unfortunately, special categories of personal data were also leaked. The server configuration was structured in an indexed manner so that the accounts, including personal data, were segregated by social media platform to facilitate quick review and analysis of the scraped data by the marketing professionals.

The company SocialArks provides a platform to manage social media data and it allows to schedule advertisement and marketing campaigns on the major social media platforms. The platform is mainly active on the Chinese market.

The practice of data scraping, performed by multiple companies on the market and facilitated by different web-tools made available by big website players, consists in the collection of massive amounts of (personal) data from websites or, more frequently, from social media platforms with the purpose to be further used for other purposes such as marketing campaign building or online targeted advertisement.

This practice, that is in principle not harmful, should be carried out by the service providers with appropriate and adequate security measures in order to keep the collected data secure within the databases. The risk of such databases being hacked or unlawfully accessed may indeed lead to massive and dangerous data breaches such as this one. Among the most common security measures to keep data safe, we can mention: encryption of the data in transit and at rest, strict management of the access rights, protect the database with firewalls, implement secure passwords.

Most of the social media platforms are by nature aimed at sharing personal information, in some cases clearly private, therefore the users are keen to provide and to publish their personal data that may concern the professional or the private sphere. On the other hand, marketing research companies and their clients avail of such data which may in most cases only be partially protected from access. In this context it is of critical importance that the social media platform providers build a consistent and secure scheme to protect the personal data in accordance to the purpose of the processing and that they duly inform the users about the activities and operations that are in the framework of the platform not only by the social media providers themselves but especially by third parties. It is also the responsibility of the user to share his/her personal data wisely and taking into account all the possible consequences of such practice.

You can read a german version of this article here.