High profile TikTok accounts, including CNN, Sony, and—er—Paris Hilton have been targeted in a recent attack.
CNN was the first account takeover that made the news, with Semafor reporting that the account was down for several days after the incident.
According to Forbes, the attack happens without the account owner needing to click on or open anything—known as a zero-click attack. All they need to do is open a Direct Message (DM). The account is then taken over and the user loses access.
Malwarebytes’ Pieter Arntz explained how this sort of attack could happen:
“If they don’t need to click on anything, this could well be a vulnerability in the way content is loaded when opening a DM. We’ve seen similar vulnerabilities before in Chromium browser, for example when fabricated images are loaded.”
TikTok says it has now fixed the issue and is working to get the accounts back to their rightful owners. Spokesperson Alex Haurek told Forbes:
“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. “
Haurek didn’t say whether the attackers were still targeting accounts.
Securing your TikTok account
This attack is eye-catching because it’s technically unusual, and was used against people who naturally attract headlines. However, it’s a flash in the pan and the vulnerability was quickly patched.
Meanwhile, there’s a thriving underground market in social logins fuelled with much more successful, but much more mundane forms of attack. To reduce your risk of those, make sure you do these things:
- Use a strong password to secure your account, and make sure you’ve not used it elsewhere. You can use a password manager to remember your passwords.
- Enable two-step verification on your account. TikTok tells you how to do that here.
- Check what devices are logged into your account. TikTok Device Management allows you to view what devices are logged into your account, remove them if needed, and get notified if there is suspicious activity on your account.
- Be careful what you click on. If you receive a link from someone and you don’t know what it is, don’t click on it. Check via a different communication channel about what the link is. In this case, it appears that someone only had to open a DM in order to get their account taken over so watch out for DMs you’re not expecting.
- Don’t feel pressure. If someone is messaging you asking you to click on or send them something, think before you do it. Putting pressure on someone to perform an action quickly is a common tactic used by scammers. Trust your instincts.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.