A newly emerged menace actor, going by the alias “Often9,” has posted on a outstanding cybercrime and database buying and selling discussion board, claiming to own 428 million distinctive TikTok consumer information. The publish is titled “TikTok 2025 Breach – 428M Distinctive Traces.”
The vendor’s publish, which appeared on the discussion board yesterday (Might 29, 2025), guarantees a dataset containing detailed consumer data resembling:
- E-mail addresses
- Cell phone numbers
- Biography, avatar URLs, and profile hyperlinks
- TikTok consumer IDs, usernames, and nicknames
- Account flags like private_account, secret, verified, and ttSeller standing.
- Publicly seen metrics resembling follower counts, following counts, like counts, video counts, digg counts, and buddy counts.
The inclusion of private fields resembling electronic mail addresses, cell phone numbers, and inside account flags is just not one thing that may be casually scraped from TikTok’s public-facing web site or cell app. If these particulars are verified by TikTok to be correct and up to date, it suggests entry to both inside TikTok programs or an uncovered third-party database.
Risk Actor Explains How the Alleged TikTok Breach Occurred
Somebody on the discussion board requested the hacker how the info was extracted, whether or not it was simply scraping or one thing extra. In response, the hacker defined how they allegedly managed to extract the info.
“Usually, TikTok doesn’t present any public API to entry non-public information like emails or telephone numbers. However some time in the past, because of a vulnerability in one in every of their inside APIs, it was potential to extract this information. We found and abused that API earlier than it was patched, which allowed us to gather this dataset. So technically sure, it seems to be like scraping, however it was accomplished by means of an exploitable endpoint, not easy public crawling. So briefly: it’s scraped through API, however as a result of it leveraged a flaw to entry information that wasn’t meant to be public, It’s a breach.”
Often9
What does Often9’s reply imply? The menace says that underneath regular situations, TikTok doesn’t present any public device (API) that lets somebody entry non-public particulars like emails or telephone numbers. However in some unspecified time in the future, they discovered a vulnerability in one in every of TikTok’s inside APIs.
This flaw allowed them to drag out non-public consumer information that was not meant to be accessible. They used (and abused) this vulnerability earlier than TikTok mounted it, letting them accumulate a big dataset.
Whereas this course of would possibly appear to be “scraping” (which often means gathering public information utilizing automated instruments), on this case, it was extra severe as a result of it concerned exploiting an inside system that uncovered private data
Including to the burden of the declare, the menace actor is prepared to work by means of a intermediary, a typical strategy on legal boards when large-scale information gross sales require third-party verification to construct purchaser belief.
However Right here’s Why Skepticism Is Warranted
Regardless of the attention-grabbing gross sales pitch from the menace actor, a number of purple flags solid doubt on the validity of the declare. Importantly, a major variety of pattern entries present empty or generic fields for emails and telephone numbers, elevating the chance that this dataset was put collectively from scraped public profiles and organised utilizing previous breach information or guesswork.
The menace actor is a brand new account on the discussion board, having joined solely days in the past, with no popularity, neither optimistic nor adverse. Within the cybercrime world, popularity is forex; main breach sellers sometimes have years of verified historical past or previous profitable gross sales.
The discussion board itself has a latest historical past of inflated or false breach claims. Notably, the identical platform was used final week to advertise a so-called “1.2 billion Fb consumer” information sale, which was later uncovered as faux in an unique Hackread.com investigation, resulting in the vendor’s ban.
A better have a look at the pattern information reveals that many fields, consumer IDs, usernames, profile hyperlinks, and follower metrics, are publicly accessible and could possibly be obtained by means of large-scale scraping operations. Whereas scraping at scale can nonetheless pose dangers (like phishing or spam campaigns), it doesn’t equate to a breach of inside programs.
Cross-Checking E-mail Addresses with HaveIBeenPwned
Hackread.com additionally cross-checked the e-mail addresses within the pattern information in opposition to information on HaveIBeenPwned, and most have been present in fewer than two earlier information breaches. That is alarming and provides some legitimacy to the distinctiveness of the info. Nevertheless, a 1,200-line pattern from a supposedly 428 million document breach is just not sufficient to determine legitimacy.
For now, this declare must be handled with warning. As tempting because the gross sales numbers could also be, reputationless sellers on cybercrime boards typically exaggerate or fabricate to make a fast revenue or entice consideration.
Not The First Time
This isn’t the primary time a menace actor has claimed to breach TikTok’s information. In September 2022, a hacker claimed to have acquired 2 billion TikTok information, together with inside statistics, supply code, 790 GB of consumer information, and extra, a declare that was later denied by the corporate.
Hackread.com has reached out to TikTok and may verify that the social media large is investigating the alleged breach.
