An Unsecured Server Exposes Data of 2.6 Million Instagram and TikTok Users

It’s already a well-known fact that your Instagram likes, hobbies, and activities are monitored and sold to advertisers. When it comes to TikTok’s privacy features, research showed the platform uses device fingerprinting to track your behavior.

Even the fact that the two social media platforms have suffered another data breach doesn’t quite come as a surprise. The history seems to repeat with Instagram and TikTok not properly managing and securing users’ personal data.

Once again, security researchers encountered a weak spot. This time, it was at a third-party company that handles analytics data for the two social media giants.

Let’s dig deeper into the technical facts of just another Instagram and TikTok data breach.

An Unsecured Server Was the Root Cause

An unprotected and unsecured ElasticSearch server that stored scraped data of over 2 million Instagram and TikTok users caused the data breach. A social media analytics site named owns the compromised server. The’s activity focuses on analytics tools, tracking follower growth, engagement rates, account history and other metrics for Instagram and TikTok accounts.

Safety Detectives was the one who discovered the vulnerability and informed IGBlade about it in July 2021. IGBlade seemed to have secured the server the same day but apparently didn’t do a great job.

This security vulnerability impacted casual users as well as food bloggers and celebrities like Alicia Keys, Ariana Grande, or Kim Kardashian.

Users’ screenshots and links to profile pictures, full usernames, user bio, email address, phone number, location, and follower counts could now end up in who knows whose hands.

While data scraping (aka web harvesting –where computers or software extract publicly available online data) isn’t an illegal activity, both TikTok and Instagram forbid it in their privacy policies. Still, this isn’t the first time when web scrapers break the companies’ policies terms.

This data leak could be just the beginning of an entire parade of cyber-attacks and online frauds. Cybercriminals can use this information to create fake accounts, unleash phishing attacks, or even ransomware.

Similar Instagram and TikTok Data Breaches

If we were to take a trip down memory lane, we’d see the two companies have been in the spotlight before, for the same reason of exposing their users’ personal data:


Aug, 2020
TikTok, Instagram and YouTube were the targets of a massive data breach that left 235 million accounts exposed. Disclosed data covered personally identifiable information (PII), including names, contact information, images, and statistics about followers. The breach was the result of data scraping from Social Data. This is a company that sells data related to social media influencers to marketers. Data scraping wasn’t allowed at that time either; neither Facebook, Instagram, TikTok, nor Youtube had agreed on data scraping, but they did admit it can be difficult to tell when someone breaks this rule.
Apr, 2021
The UK sued TikTok, accusing the company of illegal collection of children’s personal data according to GDPR terms. Children’s Commissioner for England stated TikTok deceived parents, as it didn’t clearly mention how they collect children’s private information like phone numbers, physical location and videos.
June, 2021
TikTok changed its privacy policy on the US territory. The company added a new section that gave the company carte blanche to collect users’ biometric information. TikTok noted the change was part of its developments that covered ‘special video effects, content moderation, demographic classification’, among other purposes. TikTok’s decision sparked several debates since not all US states have biometric privacy laws, meaning TikTok was compelled to inform users about data collection only where required by law.


May, 2019
An unprotected server from Instagram left 49 million influencers, celebrities, and brand accounts out in the open, with free access from anyone. The exposed data included users’ biodata, profile picture, the number of followers, their location, and contact information like email address and phone number associated with their Instagram account.
Jan, 2020
Social Captain – a service that helps Instagram users boost their follower counts disclosed thousands of Instagram usernames and passwords. The company was storing passwords in unencrypted plaintext. A bug on the company’s website permitted anyone to capture Instagram users’ credentials.
Jan, 2021
An unsecured ElasticSearch database (ring any bells?) exposed data of over 214 million (408GB) Instagram users worldwide, including celebrities and social media influencers. Along with Instagram, Facebook and LinkedIn were hit at the same time.

What to Expect from Instagram and TikTok in the Future?

An impressive collection of data breaches marks Instagram and TikTok’s histories. Note that the ones mentioned above are just a few recent examples.

These companies don’t seem to learn an important lesson: they need to enforce tight security measures to their databases that store people’s personal data.

Since you can’t expect them to handle your data properly, it’s high time you start protecting it yourself. Find out useful tips on how to stay safe on social media.

That is unless you haven’t come to terms to forget everything about these platforms and delete your Instagram and/or TikTok accounts.


Did you ever choose to quit any social media platform? What was the main reason for your decision?

Let me know in the comments section below.

Leave a comment

Instagram is a popular way to get connected with various people. Instagram scrapers are doing this easily. If you find out the best Instagram scrapers, You can easily boost up your followers.


Instagram is a great way to reach more people gradually. How can Instagram scrapers work in it? Should we consider Instagram scrapers for building followers?


Hi, Rakib.
Web scraping is a controversial topic. While scraping publicly available data is considered legal, collecting any private or copyrighted information is generally illegal.
Some web scraping tools fall in a gray area, which has opened the way for litigation. Meta, Instagram’s parent company, is actively involved in legal battles with data scraping sites.
As such, we wouldn’t advise anyone to scrape data without first getting legal advice relevant to their jurisdiction. Please note that none of this is legal advice.
Stay safe!

Write a comment

Your email address will not be published. Required fields are marked*