TikTok, the popular short video-sharing app, on Tuesday said it had taken preventive measures to stop a zero-day attack that allowed hackers to target high-profile TikTok accounts, including those of celebrities and brands, including those belonging to CNN, Paris Hilton, and Sony.
While the ByteDance-owned video app maker did confirm that it is dealing with a cyberattack, it did not disclose the nature of the attack or the mitigation methods it had used.
It, however, did mention that they have taken preventive measures to stop the attack and stop it from happening again in the future.
It also mentioned that a “very small” number of high-profile accounts were compromised in the cyberattack, and it is working with affected owners to restore access to their accounts.
“Our security team is aware of a potential exploit targeting a number of high-profile accounts,” a company spokesperson said. “We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed,” a TikTok spokesperson said in a statement.
While the current number of affected users is unknown, Semafor and Forbes were the first ones to confirm that CNN’s TikTok account was compromised in the cyberattack, which forced the news network to take down its TikTok account for several days.
“We have been collaborating closely with CNN to restore account access and implement enhanced security measures to safeguard their account moving forward. We are dedicated to maintaining the integrity of the platform and will continue to monitor for any further inauthentic activity,” a TikTok spokesperson said about CNN.
The company also revealed that the TikTok account of reality television star Paris Hilton, who has more than 10 million followers on the social media app, was targeted but not compromised.
According to TikTok, the cyberattack had taken place through the app’s direct messaging feature.
Apparently, the attackers exploited a zero-day vulnerability in direct messages (DMs) by tricking them into opening the malicious message, which doesn’t need downloading a payload or clicking embedded links.
The company declined to divulge the complete list of accounts that had been targeted or compromised as it is still investigating the “potential exploit.”
