When Sharing Isn't Always A Good Thing: TikTok Shares Your PII
February 27, 2024
Growing up, our elders taught us to share with others. Of course, we know they weren’t talking about sharing personal information online. If anything, the latest TikTok hack should be a lesson to us all to be extremely careful about the PII (personally identifiable information) we share online, especially on social media sites. Case in fact, Check Point Research discovered a security flaw with the popular video-sharing and sometimes controversial TikTok app. TikTok’s “Find Friends” option was exploited by hackers who used it to steal PII from the account holder and their contacts. The thefts included sensitive PII that can be used for further hacks, including identity theft and financial fraud.
TikTok was developed by ByteDance, a China-based company, and the app has come under scrutiny by the U.S. and other countries as a potential security threat. Meanwhile, the seemingly innocuous action of finding friends who were also on TikTok enabled attackers to access your PII and that of your contacts. Those details included TikTok screen names, phone numbers, profiles and profile settings, and unique user ID’s. TikTok allows an account holder to find up to 200 friends and contacts per day; that’s a lot of ammo for hackers to abuse. ByteDance has since patched the flaw, but this exploit raised questions about how much PII we should be sharing on social media, including mobile apps in particular.
An even larger problem exists when personal data stolen from TikTok is combined with PII pilfered from other hacks and is easily found on the dark web. Knowing the limits of what is considered “safe PII” and what should not be shared isn’t always easy. Keeping a few tactics in mind before posting PII can help keep you and your contacts from future harm.
Know Your Limits
- Less is better. Being stingy with your PII gives an attacker little to work with and exploit. Chances are they’ll move on to a more fruitful target.
- If it isn’t absolutely necessary, don’t give it up. Look at your PII from a hacker’s perspective and avoid giving them the keys to your valuable data whenever possible.
- The type of PII you post can determine how much damage can be done with it. In the wrong hands, some PII can lead to identity theft, financial fraud, and much more. A hacker can also assume your identity and send malicious phishing emails and direct messages to your contacts, and they are more likely to trust it’s from you.
- Giving access to your contacts is never a good idea. If an app allows you to sign in using another app like Facebook or LinkedIn, know that your PII on these sites, including that of your contacts, may about to be shared with a third party.
- Always apply patches to apps as soon as they are available. These patches often contain bug fixes for security and other important flaws.