Few But High-Profile TikTok Accounts Hacked Via Zero-Click Attack in DM

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security breach in which accounts have been compromised.

Social media, online shopping and video giant TikTok has experienced a cyberattack in which attackers managed to compromise celebrity and brand accounts, including hotel heiress Paris Hilton, Sony, and CNN.

While specific details about the nature of the attack are scarce at the moment, VXUnderground explained in its post on X (formerly Twitter) that an unknown threat actor discovered an exploit in TikTok that allows users to hijack accounts. The payload is delivered through TikTok direct messages and executed when read, without requiring external files or user response.

The number of affected accounts is currently unclear but according to the latest update from TikTok, only two accounts have been compromised, one being CNN’s.

The attack was first reported by Semafor and Forbes, according to which TikTok was targeted in a zero-click account takeover campaign that allows malware to compromise brand and celebrity accounts without direct interaction. Both the outlets confirmed that CNN temporarily removed its account after being hacked.

A search for CNN returns no results for the US-based English language account

According to TikTok’s spokesperson, Alex Haurek, the number of compromised accounts is “very small,” but refused to explain how TikTok is protecting other exposed accounts.

“We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity,” Haurek said, specifically referring to CNN’s account compromise. TikTok is working with the news outlet to restore account access and implement enhanced security measures to safeguard their TikTok account.

TikTok’s privacy and security team spokesperson, Jason Grosse, stated that the company is still investigating the attack and cannot comment on its scale or sophistication, but mentioned that the threat is a “potential exploit.”

For your information, Hilton’s staff and sources at TikTok have confirmed that her account was targeted but not compromised.

Hanna Basha, Partner at Payne Hicks Beach, one of the oldest and known law firms in the United Kingdom, commented on the incident highlighting the threat luring behind data sharing on social media.

“TikTok is the latest of many companies to be subject to a cyberattack highlighting that it is now almost impossible to avoid these sorts of attacks and therefore incredibly important that individuals consider carefully what they are sharing on social media platforms,“ warned Hanna.

_“_Individuals sharing private messages have legal rights in privacy, confidence and data to keep these messages private and prevent them from being published. However, the practical advice must be to try to limit what you do share, even in direct messages, and before sending consider whether it could be damaging or embarrassing if published,” Hanna emphasised.

ByteDance-owned TikTok, with over one billion users globally, has reportedly taken measures to prevent future attacks and is working with affected account owners to restore access if needed.

TikTok has long been criticized for its security practices, particularly when in January 2021 Check Point Research identified a flaw that could have allowed attackers to build a database of TikTok users and in September 2022, Microsoft discovered a one-click exploit affecting the Android app, allowing attackers to take over accounts. It is about time the company strengthens its cybersecurity mechanisms to prevent similar incidents.

1. TikTok vulnerability allowed hackers to send SMS with malware
2. TikTok Invisible Body Challenge Trend Abused to Drop Malware
3. TikTokers promoted adware, earned half a million dollars in profit
4. TikTok collected MAC addresses for Android against Google’s ToS
5. New smishing scam spreads fake TikTok App loaded with malware