Amidst the nationwide fear and global ramifications of the coronavirus pandemic, Chinese citizens got another significant blow. On March 19, Jinse, a local Blockchain-focused publication, reported that one of the country’s most prominent social networks, Weibo, has been attacked. Notably, the private data of more than 172 million users had been stolen and were uploaded on the dark web for sale.
According to the report, the list of basic information includes user ID, address, gender, as well as the number of posts, followers, and fans. Interested buyers can access all of these data at 0.177 Bitcoin (BTC).
Luo Shiyao, a security director at Weibo, confirmed the privacy breach via a tweet. He confirmed that the mobile numbers of its users were stolen using a 2019 address book, while the rest was scraped on the web. Notably, Weibo immediately shut down the API and reported the breach as soon as they found out they’ve been attacked. He also added that they are now pursuing the culprit. Interestingly, Luo’s post was deleted not long after.
The publication had also written that an ex-director of Ali Group Security Research Lab noted that it only takes an individual to have a Weibo account address to find out a user’s mobile phone number. But then, just like Luo’s, this post had been deleted as well.
A security expert from Shanghai, Yao Xiang, commented that data breach is nothing new in China. Notably, in 2011, China Software Developer Network (CSDN) suffered the same attack, affecting over 6 million of its users. In 2018, it fell victim once again to the bad guys, compromising the private information of more than 130 million people. The price was higher as well back then, with the attackers asking for 8 BTC or $56 000 in exchange for the information. However, as emphasized by Yao, the attack on Weibo was breathtaking compared to the previous accounts in terms of its depth and scale.
Weibo’s controversial denial
Weibo released its official announcement immediately after the first post about the issue had been deleted. According to the social media network, there was no truth to the report that the data of over 500 million users had been compromised. But instead of focusing on the figure, Weibo focused on the result of their investigation. Notably, the issue stemmed from a security loophole in 2018. The attackers managed to upload the mobile numbers and scraped Weibo nicknames that are associated with those numbers and put them up for sale on the dark web. Despite the questionable explanation and unclear nature of the breach, Weibo remained firm that the attack barely damaged the normal functioning of the social network.
Yao, commenting on the API issue, said that the attack could also be a result of an internal risk management failure. He emphasized that it appears clear that Weibo is not following the government’s requests, specifically the act of hashing its users’ information in a format that’s not readable.
Notably, the failure of the social media network to protect its users’ information only highlights the importance of anti-surveillance and decentralization. Yao said that it could be beneficial if many people understand how Blockchain-based privacy protection systems work.