TikTok denies data breach, hacker allegedly banned for 'lying' about it

TikTok, the viral short video platform owned by China's Bytedance, has denied any report of data breaches that surfaced on Monday, September 5. In statements offered to publications, TikTok spokesperson Maureen Shanahan categorically denied any proof of data breach. Subsequent reports from independent security researchers, which includes 'Have I Been Pwned' founder and cyber security analyst Troy Hunt, have further underlined that the initial reports could have been false.

In a statement to The Verge, Shanahan said, “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.”

Shanahan’s statement was subsequently backed up by Hunt, who also serves as a regional director for Microsoft in Australia. In a series of tweets, Hunt highlighted that the files posted by the hacker who had claimed to have breached TikTok appeared to be scraped from open source and publicly accessible systems — without any clear identifier of personal data being linked to these data sets.

Users on Twitter subsequently highlighted that the hacker, who had posted the files claiming to have spotted TikTok's data breach, had been banned from the dark web forum where the data dumps were shared. According to posts on Twitter, the hacker, who operated under the alias 'Against The West', had been banned for "lying about the data breach".

Independent security researchers have since failed to verify the breach, although they agreed that the data that was dumped was clearly linked to TikTok. Independent security researcher Bob Diachenko, who operates under the name 'Mayhem Day One' on Twitter, initially posted affirming the breach to TikTok, but subsequently stated that the lack of clearly identifiable user data means that no reports could be fully verified. 

Initial claims had suggested the presence of a 790GB data dump that contained personally identifiable information of over 2 billion individuals on TikTok — as well as sensitive details of the app's source code. The claim made by the hacker group had suggested that TikTok had stored all of its user data and its app source code in an Alibaba cloud server with weakly configured security standards.