A cybersecurity incident involving TikTok has potentially compromised the personal data of 428 million users, according to claims made by a threat actor known as “Often9” on underground cybercrime forums. The alleged breach includes sensitive information such as email addresses, mobile phone numbers, user IDs, usernames, and nicknames, representing one of the largest social media data exposures in recent years.
The compromised dataset reportedly contains extensive personal profile information, including biography details, avatar URLs, and profile links. Account status indicators such as private account settings, verified status, and seller designations were similarly allegedly exposed, alongside thorough engagement metrics including follower counts, video statistics, and friend connections. Zero-day exploits have become increasingly common in social media platform breaches, causing widespread data exposure and security concerns.
Often9 claims responsibility for exploiting a vulnerability in TikTok’s internal API system, which allegedly facilitated mass extraction of non-public data. Cybersecurity experts note that the presence of email addresses and phone numbers suggests the breach extended beyond simple public data scraping, potentially involving access to internal systems or exposed third-party databases.
The vulnerability allegedly enabled extraction of private user data beyond what typical scraping methods could access.
The leaked dataset has appeared for sale on prominent cybercrime forums, priced in the thousands of dollars. Sample data including usernames, emails, phone numbers, and profile details were posted to demonstrate authenticity. This incident follows historical precedent, with previous claims involving 2 billion TikTok records in earlier breaches.
Users face significant risks including mass phishing campaigns, targeted scams, account takeover attempts, and potential identity theft. The combination of publicly visible metrics with private contact information creates improved profiling opportunities for malicious actors, particularly concerning users who maintained previously private accounts. The correlation of emails and phone numbers enables targeted phishing campaigns that could lead to widespread fraud and account compromise.
The breach’s legitimacy remains unverified during ongoing investigations. Skepticism has emerged because of empty or generic fields in some exposed records, though the presence of non-public data points challenges explanations of large-scale public scraping. Often9 is known for previous data breach activities across multiple platforms, raising additional concerns about the credibility of these latest claims.
TikTok has initiated an internal investigation following the hacker’s claims, whereas cybersecurity professionals actively analyze sample data for validation. The company has not publicly confirmed the breach, and no user notifications have been issued during the active investigation period.
