Journalists of the edition ZDNet, referring to one of their readers, report that the web version of TikTok does not apply multi-factor authentication (via mail and SMS), connected by developers for all platform users in August.
Thus, an attacker who somehow found out someone else's credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the website, and not through the mobile application.
Fortunately, through the web version, you cannot change the user's password and completely take over someone else's account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account's reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.
Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn't warn users at all if someone has used their credentials and logged into the account through a browser.
The developers of TikTok have already promised to fix the problem and extend multifactor authentication to the site too, but they have not named any specific time frame yet. ZDNet notes that the login page is protected by a CAPTCHA, which means you can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.