A Zero Day TikTok Hack Is Taking Over Celebrity And Brand Accounts
The compromised accounts include CNN and Paris Hilton — and all users have to do to be hacked is open a DM, according to company sources.Emily Baker-White
Forbes Staff
Jun 4, 2024,11:11am EDT
Updated Jun 4, 2024, 03:31pm EDT
Malicious code in DMs is taking over TikTok accounts, including those of celebrities and brands.
NurPhoto via Getty Images
Malicious code is taking over accounts on TikTok, and has already compromised the official accounts of celebrities and brands, including the official account of CNN, according to sources inside the company.
Other accounts affected include Paris Hilton and an official Sony brand account, per the sources.
The malware is transmitted through DMs within the TikTok app, and does not require a download, click, response or any other act from users beyond opening a message. The hacked accounts do not appear to be posting content, and it’s unclear how many have been affected.
TikTok spokesperson Alex Haurek said: "Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We're working directly with affected account owners to restore access, if needed."
Haurek added on midday Tuesday that the number of accounts the company had found were compromised was “very small,” but declined to give a specific number or offer specifics about how TikTok was protecting other exposed accounts. TikTok has over a billion global users.
About CNN specifically, he added: “Our security team was recently alerted to malicious actors targeting CNN’s TikTok account. We have been collaborating closely with CNN to restore account access and implement enhanced security measures to safeguard their account moving forward. We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity.”
Haurek did not answer a question about whether the hackers were still actively compromising accounts.
Paris Hilton, CNN, and Sony did not respond to requests for comment by press time.
TikTok has been hacked multiple times over the last few years. In summer 2023, TikTok acknowledged that as many as 700,000 accounts in Turkey had been compromised due to the company’s use of insecure SMS channels for its two-factor authentication. The issue occurred shortly before Turkey’s heavily contested presidential elections.
In 2022, researchers at Microsoft discovered another vulnerability in the TikTok app that allowed hackers to overtake accounts with a single click. In that instance, accounts were compromised when users clicked on a malicious link.
Semafor reported Tuesday that CNN’s TikTok had been hacked, forcing the network to take down its account for several days. A network spokesperson told Semafor that CNN was “working with TikTok on the backend on additional cybersecurity measures.”
TikTok’s security and privacy practices have been at the center of lawmaker concerns that the Chinese government could direct its Chinese parent company ByteDance to use the app to spy on Americans (as it did in 2022) or to influence what messages they see.
Those fears culminated in an April law that requires ByteDance to divest from the app or see it banned in the United States. TikTok and ByteDance have challenged the bill in court.
This is a developing story...