LinkBack URL
About LinkBacks
A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”
The seller’s post, which appeared on the forum yesterday (May 29, 2025), promises a dataset containing detailed user information such as:
-Email addresses
-Mobile phone numbers
-Biography, avatar URLs, and profile links
-TikTok user IDs, usernames, and nicknames
-Account flags like private_account, secret, verified, and ttSeller status.
-Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.
The inclusion of non-public fields such as email addresses, mobile phone numbers, and internal account flags is not something that can be casually scraped from TikTok’s public-facing website or mobile app. If these details are verified by TikTok to be accurate and recent, it suggests access to either internal TikTok systems or an exposed third-party database.
Threat Actor Explains How the Alleged TikTok Breach Happened
Someone on the forum asked the hacker how the data was extracted, whether it was just scraping or something more. In response, the hacker explained how they allegedly managed to extract the data.
“Normally, TikTok doesn’t provide any public API to access private data like emails or phone numbers. But a while ago, due to a vulnerability in one of their internal APIs, it was possible to extract this data. We discovered and abused that API before it was patched, which allowed us to collect this dataset. So technically yes, it looks like scraping, but it was done through an exploitable endpoint, not simple public crawling. So in short: it’s scraped via API, but because it leveraged a flaw to access data that wasn’t meant to be public, It’s a breach.”
What does Often9’s reply mean? The threat says that under normal conditions, TikTok doesn’t provide any public tool (API) that lets someone access private details like emails or phone numbers. But at some point, they found a vulnerability in one of TikTok’s internal APIs.
This flaw allowed them to pull out private user data that was not meant to be accessible. They used (and abused) this vulnerability before TikTok fixed it, letting them collect a large dataset.
While this process might look like “scraping” (which usually means gathering public data using automated tools), in this case, it was more serious because it involved exploiting an internal system that exposed non-public information
Adding to the weight of the claim, the threat actor is willing to work through a middleman, a common approach on criminal forums when large-scale data sales require third-party verification to build buyer trust.
But Here’s Why Skepticism Is Warranted
Despite the attention-grabbing sales pitch from the threat actor, several red flags cast doubt on the validity of the claim. Importantly, a significant number of sample entries show empty or generic fields for emails and phone numbers, raising the possibility that this dataset was put together from scraped public profiles and organised using old breach data or guesswork.
The threat actor is a new account on the forum, having joined only days ago, with no reputation, neither positive nor negative. In the cybercrime world, reputation is currency; major breach sellers typically have years of verified history or past successful sales.
The forum itself has a recent history of inflated or false breach claims. Notably, the same platform was used last week to promote a so-called “1.2 billion Facebook user” data sale, which was later exposed as fake in an exclusive Hackread.com investigation, leading to the seller’s ban.
A closer look at the sample data reveals that many fields, user IDs, usernames, profile links, and follower metrics, are publicly accessible and could be obtained through large-scale scraping operations. While scraping at scale can still pose risks (like phishing or spam campaigns), it does not equate to a breach of internal systems.
Cross-Checking Email Addresses with HaveIBeenPwned
Hackread.com also cross-checked the email addresses in the sample data against records on HaveIBeenPwned, and most were found in fewer than two previous data breaches. This is alarming and adds some legitimacy to the uniqueness of the data. However, a 1,200-line sample from a supposedly 428 million record breach is not enough to establish legitimacy.
For now, this claim should be treated with caution. As tempting as the sales numbers may be, reputationless sellers on cybercrime forums often exaggerate or fabricate to make a quick profit or attract attention.
Not The First Time
This is not the first time a threat actor has claimed to breach TikTok’s data. In September 2022, a hacker claimed to have acquired 2 billion TikTok records, including internal statistics, source code, 790 GB of user data, and more, a claim that was later denied by the company.
Hackread.com has reached out to TikTok and can confirm that the social media giant is investigating the alleged breach.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
Threaded View
-
6 Days Ago #1Moderator
- Reputation Points
- 114524
- Reputation Power
- 100
- Join Date
- Aug 2022
- Posts
- 1,680
- Time Online
- 170 d 15 h 29 m
- Avg. Time Online
- 4 h 2 m
- Mentioned
- 458 Post(s)
- Quoted
- 151 Post(s)
- Liked
- 3281 times
- Feedbacks
- 13 (100%)
Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale
Reply With Quote
