A user known as “Often9” recently posted on a darkweb forum about a massive breach involving TikTok data. According to the threat actor, the dataset contains 428 million unique records, including sensitive details like user IDs, usernames, nicknames, emails, and phone numbers. This data was allegedly obtained by exploiting a vulnerability in one of TikTok’s internal APIs.
The actor clarified that while it may look like typical data scraping, it was actually made possible by a flaw in an internal API that TikTok had since patched. The exploit allowed the extraction of data that isn’t normally accessible to the public, making this more than just standard scraping—it’s a significant breach.
The data is currently being sold on the dark web forum, highlighting the persistent risk of large-scale data exposure from social media platforms. Users of TikTok should be particularly mindful of phishing attempts and other social engineering tactics that may emerge as a result of this leak.