ByteDance, the Chinese parent company of popular social media app TikTok, has admitted that some of its employees used the app to improperly obtain the Internet Protocol (IP) address of two United States (US) journalists and used this data to monitor their physical location.

User IP addresses are transmitted to apps, websites, and other online services whenever users connect to them. By default, this IP address will reveal the geolocation of the user.

ByteDance made the admission after performing an internal investigation and said that Emily Baker-White, a former BuzzFeed reporter who now works at Forbes, and Cristina Criddle, a Financial Times reporter, were surveilled. ByteDance also admitted that “a small number of people connected to the reporters” had their data improperly accessed. Forbes reported that two of its other reporters who formerly worked at BuzzFeed News, Katharine Schwab and Richard Nieva, were also tracked.

Most of the journalists who were targeted by TikTok have reported on the company and some of these reports highlighted TikTok’s struggles and privacy concerns associated with the app. For example, Baker-White previously reported on ByteDance’s plans to use TikTok to monitor the physical locations of Americans while Criddle previously reported on “TikTok Shop’s troubled UK expansion.”

The surveillance of these journalists and other users occurred over the summer when four ByteDance employees who were part of a Beijing-based “Internal Audit and Risk Control” department, which is primarily responsible for monitoring employee conduct, attempted to find the sources of suspected leaks to journalists. As part of this attempt, the employees improperly accessed the IP addresses and other data of the journalists and other users. The goal of this surveillance was to determine whether the journalists and other users were within proximity of ByteDance employees.

Two of the ByteDance employees who engaged in this surveillance were working in China and two were working in the US. All four of the employees who spied on the US reporters have allegedly been fired.

Prior to these revelations, ByteDance and TikTok had repeatedly denied reports about their plans to track US users. TikTok previously claimed that Baker-White’s report on ByteDance’s plans to use TikTok to monitor the physical locations of Americans lacked “rigor and journalistic integrity.” And as recently as Sunday, TikTok’s Head of Public Policy claimed that reports of TikTok sharing US user data with China were “false,” “not accurate,” and “misinformation.”

TikTok spokesperson Hilary McQuaide told Forbes: “The misconduct of certain individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data.”

Forbes’ chief content officer, Randall Lane, described the surveillance as “a direct assault on the idea of a free press and its critical role in a functioning democracy.”

Financial Times news editor Matthew Garrahan said: “Outrageous: TikTok has admitted using its app to track the movements of two journalists reporting on the company, including the FT’s Cristina Criddle, who delivered fearless reporting about problems at its commerce unit.”

Senator Mark Warner added: “This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected. The DoJ has also been promising for over a year that they are looking into ways to protect U.S. user data from Bytedance and the CCP [Chinese Communist Party] — it’s time to come forward with that solution or Congress could soon be forced to step in.”