Cloud Hosting

Illustration by Angelica Alzona for ForbesBy Emily Baker-White, Forbes Staff

Weeks before Turkeys authoritarian president, Recep Tayyip Erdoan, eked out a narrow reelection in May, TikToks acting security chief, Kim Albarella, received a piece of bad news: As many as 700,000 TikTok accounts in Turkey had been compromised by a hack that allowed attackers to access users private information and control their accounts.

Internal emails, chat logs, documents, and other sourcing from inside and outside of TikTok reveal that the company was made aware of the vulnerability, which stemmed from its so called greyrouting of SMS messages through insecure channels, more than a year earlier: In April 2022, TikToks security chief Roland Cloutier received an email from the U.K.s National Cyber Security Centre, a division of the nations top intelligence agency, GCHQ, warning that this practice could allow SIM farms in Russia and other countries to request and intercept one-time passwords to gain access to TikTok users accounts.

In laymans terms, greyrouting means sending SMS text messages through unsecured channels in order to bypass fees established by international telecommunications agreements. Using greyroutes can save companies money and help them avoid guardrails like rate limits and anti-spam detection, but doing so can compromise messages security, making them vulnerable to interception.

Cloutiers team internally investigated the GCHQ tip, and learned that ByteDance was indeed using greyrouting to keep costs down. The company then considered changing its SMS message providers, but decided against the change, apparently because the fix would have cost the company millions of dollars each month.

Alex Stamos, director of the Stanford Internet Observatory and former security chief for Facebook, cautioned that without more information, its hard to know how significant the breach was. This could range from a super advanced spam attack to a state actor, he said. If youd just told me 700,000 accounts, Id tell you thats a Wednesday. But he noted that SMS hijacking attacks are often more targeted than random takeovers, and authoritarian states almost always have control of telecom companies.

This exploit is the largest known compromise of TikTok accounts that has been acknowledged as genuine by the company. (TikTok denied reports of another alleged attack in September 2022.) In response to a detailed list of bullet points and questions about the attack, TikTok spokesperson Alex Haurek wrote in an email, TikTok became aware of unusual activity in April that affected the number of likes and accounts being followed on some user accounts. We immediately took steps to reverse and terminate this activity, notified affected users, and helped them secure their accounts.

Haurek continued, TikTok was not hacked. None of our internal systems were compromised and no company data was exfiltrated. When TikTok became aware of the incident in question, we immediately ramped up monitoring for inauthentic behavior, while working to mitigate the issue, which has since been resolved. He said TikTok did not find any evidence that unauthorized content was posted or used in direct messages."

This security breach emphasizes the power and responsibility that TikTok now holds as one of the most popular apps in the world.

TikTok and its parent company, ByteDance, have faced harsh scrutiny in recent months for misleading lawmakers about their data security practices. In April, Forbes revealed that the company had stored sensitive financial information from thousands of U.S. vendors and creators in China, despite testimony from TikTok CEO Shou Zi Chew at a recent hearing that American data has always been stored in Virginia and Singapore. Meanwhile, ByteDance is under federal criminal investigation for using the TikTok app to spy on journalists, including this reporter. (Disclosure: in a former life, I held policy positions at Facebook and Spotify.)

It is also not clear who exploited the vulnerability. Under Erdogan, the Turkish government has a history of using state-sponsored troll networks to hack and intimidate journalists and other critics. In the run-up to the May election, Erdogan relied on deepfakes and censorship to help swing voters his way. His main opponent in the election, Kemal Kilicdaroglu, also accused Russias government of distributing false information during the days before the election. Haurek said an internal TikTok investigation found no evidence that the activity was related to the Turkish elections.

This security breach emphasizes the power and responsibility that TikTok now holds as one of the most popular apps in the world. Like tech giants Meta, Twitter, and Google, its endless feed of personalized recommendations has the power to move markets, change culture and swing elections. This power has alarmed regulators concerned about the companys ties to the Chinese state, but has also made its app a prime target for hackers, bot armies, scammers and others seeking to exploit its billions of users.

The risk of exploitation is heightened in states with records of human rights violations, and also in the periods leading up to major elections. TikTok has repeatedly deemphasized the role of politics on its platform, differentiating itself from Facebook, which previously encouraged politicians to use its platform for advocacy. Its lobbyists have told politicians and reporters that TikTok is not the go-to place for politics, while also assuring them that political speech on the app will not be censored. But with Twitters rightward shift and Metas 180-degree turn away from political content (a decision the company made after election deniers on its platforms helped incite the January 6, 2021 attack on the U.S. Capitol), TikTok may be the next natural place for political discourse.

This week, TikTok published a blog post announcing that the app is introducing passkeys a way for users to log into their accounts without using SMS codes and that it had joined a security trade group called the FIDO Alliance. A tweet from the FIDO Alliance shows that TikTok first joined the group in April, and the new passkeys feature rolled out in late-June.

When asked whether any TikTok or ByteDance SMS vendors were still engaged in greyrouting today, Haurek said, Like many global companies, we have multiple partners in the telecommunications sector and, while we do not disclose those partners by geography, we continuously work to keep our community secure.

Read this article:
As Many As 700,000 Turkish TikTok Accounts Were Hacked Before ... - Forbes