TikTok accounts of many famous people around the world were hacked

The news was first reported by news site Semafor and Forbes magazine, which detailed a zero-click account takeover campaign that allowed malware spread via direct messages to compromise the accounts of brands and celebrities without them having to click or interact with any content.

Hackers exploited an unpatched, unknown security vulnerability (also known as a zero-day) in the messaging component that allowed malicious code to execute as soon as a message was opened.

It's not yet clear how many users were affected, though a TikTok spokesperson said the company has taken steps to contain the attack and prevent it from happening again in the future.

The company added that it is working directly with affected account owners to restore access and that the attack only affected a “very small number” of users. However, TikTok did not provide any specific details about the nature of the attack or the mitigation techniques it used.

This is not the first time security issues have been discovered in the widely used service. In January 2021, Israeli security solutions provider Check Point also disclosed a vulnerability in TikTok that could have allowed attackers to build a database of the app's users and their associated phone numbers for future malicious activities.

Then, in September 2022, Microsoft discovered a single-click vulnerability affecting the TikTok app on Android devices that could allow an attacker to take control of an account when a victim clicked on a link provided by the hacker.

Another issue revealed by US cybersecurity firm Imperva more than a year ago showed that a security vulnerability in the TikTok app could allow attackers to track user activity and access sensitive information on both mobile devices and desktops.

“By exploiting this vulnerability, an attacker could send malicious messages to the TikTok web application via the PostMessage API, bypassing security measures. The message processor would then treat the malicious message as if it came from a trusted source, allowing the attacker to access sensitive user information,” cybersecurity firm Imperva said.

Not only that, as many as 700,000 TikTok accounts in Türkiye were found to be compromised last year, after reports that routing SMS messages through insecure channels allowed hackers to intercept one-time passwords and access users' TikTok accounts to increase likes and followers.

Bad actors have also leveraged TikTok’s “Invisible Challenge” trend to distribute information-stealing malware, demonstrating attackers’ continued efforts to spread malware through unorthodox methods.

Hacking accounts with large followings like TikTok still poses a risk, as the potential to spread malware or misinformation is much faster.

This is a serious warning for TikTok users, especially celebrities and big brands. To protect their accounts, users should be cautious when opening messages from strangers and update the TikTok app to the latest version.

TikTok's Chinese origins have led to concerns that the app could be used as a tool to collect sensitive information about US users and promote propaganda, eventually leading to the passage of a law banning the TikTok app in the country unless it is divested from parent company ByteDance.

In response to the US ban, TikTok filed a lawsuit in a US court to fight the move, claiming it was an “extraordinary interference with freedom of expression” and that the US had only raised “speculative concerns” to justify the ban.

The short video app TikTok has been banned by many countries around the world, including India, Nepal, Senegal, Somalia and Kyrgyzstan. In addition, some countries such as the US, UK, Canada, Australia and New Zealand have banned the app from government devices.