Social Media Platforms

TikTok, now controlled by a new U.S. joint venture formed January 22 to comply with a federal divest‑or‑ban law, has rolled out updated terms and a privacy policy that for the first time explicitly allows collection of users’ "precise location information" when device location services are enabled. The change, which comes as Oracle, Silver Lake, Abu Dhabi‑based MGX and other U.S. investors take a combined 80.1% stake and ByteDance keeps 19.9%, has sparked backlash on social media, with some users deleting the app and privacy advocates warning that address‑level tracking can reveal where people live, work and move. The policy also restates that TikTok may collect a wide range of sensitive information — including racial or ethnic origin, religious beliefs, mental and physical health diagnoses, sexual orientation and immigration or citizenship status — but shifts from saying such data is used only as needed to operate the service to a looser promise to process it "in accordance with applicable law." A TikTok official told CBS the precise‑location feature will be optional, used to power new services and features, and that users will be able to opt out, while experts note the language mirrors California’s privacy law and illustrates how much granular data a U.S.-based TikTok can still gather even after the ByteDance split.

Fox’s tech column reports a January surge of unexpected Instagram "Reset your password" emails, many of them legitimate messages triggered when unknown parties run usernames or emails through Instagram’s real password‑reset form. A Meta spokesperson confirms the company "fixed an issue that allowed an external party to request password reset emails for some Instagram users," while insisting there was no breach of its core systems and that accounts remain secure. The article notes that a BreachForums post in early January 2026 allegedly exposed data tied to about 17.5 million Instagram accounts, timing that coincides with the reset‑email wave and could have given attackers a large list of targets, though a direct link is not proven. Security experts quoted in the piece describe the campaign as social engineering that relies on panicked users clicking through reset links, choosing weak or reused passwords or falling for follow‑on phishing pages, and urge people to treat surprise resets as a warning to harden logins with strong, unique passwords and two‑factor authentication. For U.S. users, the episode highlights how even unbreached platforms can become vectors for account takeovers when attackers exploit normal recovery tools at scale.