Thanks to an error in the cloud configuration of SocialArks data about 318 million records of account social, among Facebook, Instagram and

LinkedIn have been shared.

A total amount of 400GB of data of public and private profiles of 214 million users all over the world.

Those records were shared all over the Internet – including details about influencers and stars followed in the United States and in the rest of the world.

How have those data been stolen? – this leak, which is very important in terms of amount and the wide range of action, arises from an error in the configuration of ElastiSearch database, which is part of SocialArks, a company with registered office in China that manage social profiles.

Among data shared, there were sensitive data of FB, IG and LinkedIn users.

The server, connected to Internet, was without password, encryption or other instrument in order to protect data. It has been discovered during routine controls on IP address, which were done in order to discover at-risk database. The server included more than 318 million records.

What is SocialArks? – SocialArks is a platform for managing social profiles, used also to plan advertising on the main platforms and plan marketing campaigns.

In the page which describes their own services, SocialArks defines itself as a “international society for the social-media management, which is dedicated to solving brand building, marketing and social customer management problems in the commercial sector with China.”

Which were the data included into the compromise server?

The interested server, hosted by Tencent, has been divided in different indexes, in order to store data obtained from different sources. This indication helped the task of security investigators by making easier the analysis of data from social media.

As it was shown, data came from a data-scarping work by SocialArks. With this term we meant “trawl fishing”, set to acquire an increased amount of data without any specific target. This practice, in addition to arise questions, places itself in violence compared to service terms of other platforms, among FB, Instagram and LinkedIn.

The dimensions of the problem – Data which were stolen in a illicit way came from more than 11 million users of Instagram, more than 66 million subscribed to LinkedIn and more than 81 million users on Facebook.

Those records include sensitive data like profile images, bio (the caption in which is possible to describe yourself), the total amount of follower, settings about geolocations, contact details like email address and phone number, number of comments recited, the most used hashtags, working position and so more.

The existance of a central repository including those information permits automated social engineering attacks.

Most of the data scraping is harmless because it is developed by web developed, business analysts and “honest” societies. In those cases, data are stored with particular attention.

We have to say that, even if those data are obtained legally, in case in which they are stored without an adequate security informatic structure, can be stolen and fall into wrong hands during one of the so called “leaks” which spread out in those years.

When private information such as telephone numbers, e-mail addresses and dates of birth are extracted and/or disclosed, criminals have sufficient weaponry to carry out targeted identity theft attacks.

However, it is interesting in itself that data scraping took place and achieved the goal of collecting public and private information from registered users. As is often the case, it was public profiles that fell victim to this ‘fishing’ technique, which is as crude as it is effective.

Usually, large social networks such as Facebook and Instagram block attempts at massive data scraping, since it is precisely the data relating to their users that give value to these two big brands in the digital world.

Would a private account really solve the issue? – The answer is no. And the example of LinkedIn is as clear as it is providential. This social network, which was created specifically to create and establish connections in the business environment, requires a certain amount of transparency in one’s user profile in order to connect with others. Setting the profile as private would make the interweaving of this network much more complex.

The onus here would have to fall almost entirely on the proprietary social platforms. With the powerful means at their disposal, they should create a secure ecosystem for their users, including those who have chosen to share their information publicly. But for a change in this direction to take place, a strong stance is needed from the users themselves, who must demand ever greater transparency and security in the terms of use of all social networks and in the management (and storage) of personal data. Let us not lower our guard!

SOURCE: FEDERPRIVACY