TikTok DM Vulnerability Affects Accounts Including CNN's and Paris Hilton's, Reports Say

The social-video company told Forbes it's aware of the hack and is working with account holders who've been affected.

Omar Gallaga
2 min read
TikTok app on a smartphone
Getty Images/Amy Kim/CNET

Reports of TikTok accounts being taken over by hackers have hit, with news network CNN and celebrities including Paris Hilton appearing to be victims of a flaw spreading via direct messages.

Forbes reported earlier Tuesday that malware is spreading on the TikTok mobile app through DMs, and that, alarmingly, users don't need to click or forward the bad direct message for their account to be affected. According to Forbes, which cited an unnamed source within the company, "The hacked accounts do not appear to be posting content, and it's unclear how many have been affected."

A TikTok spokesperson told Forbes that the social-video site's security team is aware of a hack and is restoring access to accounts that were hit. The spokesperson confirmed to Forbes that CNN's TikTok account was affected. TikTok didn't immediately respond to CNET's request for more information. 

As of the time this article was published, CNN's official TikTok account doesn't appear to be active, but several fake accounts do show up after a search. CNN is reportedly working with TikTok to ensure security ahead of this year's US presidential election, according to Semafor. The same report says multiple CNN employees have access to the CNN TikTok but that according to an unnamed source, "the breach did not appear to be the result of someone gaining access from CNN's end."

Celebrity Paris Hilton's account was active as of Tuesday, after reports that it was one of the accounts hacked.

Neither CNN nor representatives of Paris Hilton immediately responded to CNET's requests for comment.

TikTok's tips for hacked accounts

TikTok's support page on dealing with hacked accounts offers tips that include resetting account passwords, linking a phone number for two-factor authentication, and removing suspicious devices. However, it makes no mention of direct messaging. There's a separate support page that allows users to report a suspicious DM.