How do TikTok Leaks Affect Your Cybersecurity Posture?

TikTok was banned in the US on January 19, 2026 — then restored within 24 hours. For CISOs, that whiplash wasn’t just political noise. It exposed how unprepared most organisations are to make fast, evidence-based decisions about which consumer apps create genuine enterprise risk and which don’t.

This guide covers what the actual security risks are, what the ban reversal means for corporate policy, and what controls security teams should have in place regardless of what happens next.

1. The backdrop: TikTok and cybersecurity

TikTok is one of the fastest-growing social media platforms, with over 1 billion active users. Its ‘foryoupage’ (fyp/ fypage) delivers a personalized sequence of TikTok videos that you can view and repost.

The content is based on your interests, with categories including entertainment, dance, memes, anime, and pranks. It also offers TikTok Shop, an e-commerce platform.

However, TikTok privacy concerns often hit the headlines. While all social media apps carry their own cybersecurity risks, TikTok stands out due to its unique geopolitical ties and ownership.

Timeline of TikTok security incidents

• February 2019: After merging with the new TikTok platform, the app Musical.ly had to pay $5.7 million following FTC allegations that they had violated childrens’ privacy laws.
• June 2020: India banned TikTok after a military clash on their border with China. Alongside privacy concerns, it stated, ‘Chinese apps pose a threat to India’s sovereignty and security.’ (It has banned over 500 Chinese apps to date.)
• August 2020: TikTok faced a class action lawsuit over improper data processing for 89 million users, including facial recognition data.
• Junio de 2022: Chinese TikTok employees were revealed to have accessed American user data, with a key employee saying, “Everything is seen in China.”
• December 2022: TikTok’s Chinese parent company, ByteDance, stated that four employees used the app to spy on reporters.
• April 2023: British regulators fined TikTok £12.7 million for data law violations, including processing data of children under the age of 13.
• March 2024: The United States House passed a bill that demanded TikTok’s Chinese owners sell the company, or be banned in America.
• Noviembre de 2024: Canadian authorities ordered TikTok to dissolve its operations in the country—but did not enforce a ban.

2. The main dangers of TikTok

Why are governing bodies like the US, UK and Canada so concerned about TikTok? Every app carries its own risks, but there is a particular list of TikTok security concerns that stand out.

Extensive TikTok data collection

Does TikTok steal your information? While TikTok gathers a lot of data, including phone numbers, ultimately, its data processing and behavioral tracking is similar to other social media apps.

However, what sets TikTok apart is its Chinese owners, ByteDance. Critics state that ByteDance is subject to China’s National Intelligence Law, obliging them to share user data—although TikTok denies this on their ‘Myths vs Facts’ web page.

Nonetheless, a huge amount of data is accessible, and it could potentially “allow China to create a full user portfolio for all its users,” according to Forbes.

Information campaigns and large-scale influence

CybelAngel’s CISO, Todd Carroll, observed in a recent blog that, ‘Malicious state actors are all over social media.’ Chinese threat actors may have a particular interest in TikTok, due to its affiliations.

In an NPR podcast, experts cited the power of foreign influence on platforms like TikTok, where countries like China can run online information operations, such as ‘sowing doubts about US leadership and ultimately undermine democracy.’

With one-third of the adult population accessing news stories via TikTok, the US Department of Defense highlights the dangers of foreign nations using it as a platform to spread their own information campaigns.

For example, after the US bill to ban or force its sale, TikTok sent notifications to its users and asked them to, “Speak up now” or see their accounts banned, which led to congressional offices receiving countless phone calls.

The risk of deepfakes and AI machine learning

A RAND report on the dangers of TikTok stated that, “The potential for extensive audiovisual data collection to facilitate advanced deepfake creation is a compelling and urgent reason to scrutinize foreign-controlled apps like TikTok.”

In the report, some critics suggest that TikTok’s video format offers the perfect training format for AI models—while the TikTok watermark makes it difficult for other tools to use the same content, essentially giving TikTok sole ownership of the data.

Deepfakes are when bots, TikTok creators, or threat actors can create realistic (but fake) video and audio files. While there are legitimate uses for deepfakes, they can also be used to spread misinformation, destroy reputations, or orchestrate identity theft.

However, it should be noted that TikTok is also introducing watermarks for AI content. If this is implemented reliably, it should allow users to discern what’s real—and what’s fake.

TikTok account downloads and updates

There are also risks associated with the TikTok app itself.

Ultimately, TikTok users are downloading Chinese software onto their devices—and who can say whether future updates could contain malware or unethical terms and conditions?

Only IT experts, CISOs, and developers can know for sure. Everyone else must take a leap of faith—and hope that their personal data is in safe hands.

A 2026 ban update

In January 2026 TikTok went dark for US users for approximately 14 hours before being restored following intervention from the incoming administration. As of April 2026 the app remains operational in the US, but its legal status remains unresolved, a temporary reprieve rather than a settled outcome. For security teams, the lesson is that policy decisions about TikTok cannot depend on regulatory outcomes that may change again within months.

3. What are the actual enterprise risks of TikTok

The question for security teams isn’t whether TikTok is safe in general — it’s whether your organisation has assessed the specific risks it creates in an enterprise context. There are three that matter.

Employee device access. TikTok’s app requests access to clipboard content, location data, and device identifiers. On a personal device this is a privacy concern. On a device that also connects to corporate email, VPNs, or cloud applications, clipboard harvesting becomes a credential risk. If an employee copies a password or access token while TikTok is running in the background, that data is accessible to the app. Security teams should audit whether TikTok is installed on any device enrolled in MDM — and enforce policy accordingly.

ByteDance data access. In 2022, ByteDance employees based in China were confirmed to have accessed the data of US journalists through TikTok’s internal systems. The mechanism — privileged internal access to user data — is not unique to journalists. Any organisation whose employees use TikTok on devices with access to sensitive systems should treat this as a supply chain risk, not a consumer privacy issue.

Influence operations. The US Department of Defense has documented TikTok’s use as a platform for foreign information operations. For organisations with executives who are public figures, or who take positions on geopolitical or regulatory issues, TikTok’s algorithmic amplification creates both a reputation risk and a social engineering vector. Adversaries can use the platform to build detailed profiles of executives and target employees with highly personalised phishing campaigns.

What security teams should do

Action: Establish a written policy on TikTok specifically — not just a generic social media policy. It should state whether TikTok can be installed on MDM-enrolled devices, personal devices used for work email, and devices issued to executives or anyone with access to sensitive systems. Ambiguity here is the risk.

Action: If TikTok is permitted on any work-connected device, ensure your endpoint security solution monitors clipboard access and flags unusual data reads. This applies to TikTok and any other app with similar permissions.

Action: Include TikTok-specific scenarios in phishing awareness training. Attackers increasingly use TikTok content as lures — fake links in comments, impersonation accounts of company executives, and QR codes shared via the platform. Employees who understand the specific attack vectors are significantly less likely to fall for them.

CybelAngel monitors your external attack surface continuously — including social media impersonation, executive exposure, and credential risks that originate outside your network perimeter.

F.A.Q

Q: Is a vm.tiktok link safe?

A URL that follows the format vm.tiktok.com means that someone shared a TikTok video from the app.

Terminando

Despite its recent controversies, TikTok isn’t going anywhere in 2025. Whether you’re a CISO or an IT manager, it’s vital to assess the app’s implications for your cybersecurity strategy.

But with the right policies, technical controls, and employee education, you can reduce TikTok security risks—whether they come from TikTok or any other social media app.

If you’d like to learn more about safeguarding your enterprise, contact CybelAngel for expert insights on external attack surface management (EASM).

Sobre el autor

Orlaith Traynor

Orlaith es una estratega de marketing de contenidos B2B con sede en París especializada en ciberseguridad y tecnología, con gran experiencia en SEO, AEO, planificación editorial y gestión de CMS. Tras haber dirigido contenidos en empresas como CybelAngel y PhantomBuster, ayuda a las marcas tecnológicas a crear estrategias de contenidos que impulsan la visibilidad orgánica y la confianza de los compradores en mercados competitivos.

lee todos los artículos