Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum yesterday (May 29, 2025), promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

Screenshot of the Often9’s post (Image credit: Hackread.com)

****Why This Might Be Serious****

The inclusion of non-public fields such as email addresses, mobile phone numbers, and internal account flags is not something that can be casually scraped from TikTok’s public-facing website or mobile app. If these details are verified by TikTok to be accurate and recent, it suggests access to either internal TikTok systems or an exposed third-party database.

Adding to the weight of the claim, the threat actor is willing to work through a middleman, a common approach on criminal forums when large-scale data sales require third-party verification to build buyer trust.

Sample data screenshot (Image credit: Hackread.com)

****But Here’s Why Skepticism Is Warranted****

Despite the attention-grabbing sales pitch from the threat actor, several red flags cast doubt on the validity of the claim. Importantly, a significant number of sample entries show empty or generic fields for emails and phone numbers, raising the possibility that this dataset was put together from scraped public profiles and organised using old breach data or guesswork.

The threat actor is a new account on the forum, having joined only days ago, with no reputation, neither positive nor negative. In the cybercrime world, reputation is currency; major breach sellers typically have years of verified history or past successful sales.

The forum itself has a recent history of inflated or false breach claims. Notably, the same platform was used last week to promote a so-called “1.2 billion Facebook user” data sale, which was later exposed as fake in an exclusive Hackread.com investigation, leading to the seller’s ban.

A closer look at the sample data reveals that many fields, user IDs, usernames, profile links, and follower metrics, are publicly accessible and could be obtained through large-scale scraping operations. While scraping at scale can still pose risks (like phishing or spam campaigns), it does not equate to a breach of internal systems.

****Cross-Checking Email Addresses with HaveIBeenPwned****

Hackread.com also cross-checked the email addresses in the sample data against records on HaveIBeenPwned, and most were found in fewer than two previous data breaches. This is alarming and adds some legitimacy to the uniqueness of the data. However, a 1,200-line sample from a supposedly 428 million record breach is not enough to establish legitimacy.

For now, this claim should be treated with caution. As tempting as the sales numbers may be, reputationless sellers on cybercrime forums often exaggerate or fabricate to make a quick profit or attract attention.

****Not The First Time****

This is not the first time a threat actor has claimed to breach TikTok’s data. In September 2022, a hacker claimed to have acquired 2 billion TikTok records, including internal statistics, source code, 790 GB of user data, and more, a claim that was later denied by the company.

Nevertheless, Hackread.com has reached out to TikTok for comment. This article will be updated accordingly.