A string of attacks on prominent Chinese language websites and social networks may have leaked some 100 million username-password combinations online and revealed shoddy security practices at the sites, including Twitter competitor Sina Weibo.
According to a report from the Beijing based Caixin Online, sometime between December 21 and 26 hackers infiltrated the databases of many of China’s most popular blogging, shopping, social networking, and gaming sites. They subsequently published more than 100 million usernames, passwords, and email addresses. Among the sites reportedly targeted in this attack were the Chinese Software Developer Network (CSDN), the Internet forum Tianya, social networks Renren and Kaixin001, as well as Sina Weibo, a Twitter-like microblogging platform that is popular in China. Various online gaming sites were also hacked.
China’s Ministry of Industry and Information Technology denounced the hack as infringement upon the legal rights’ of Internet users, according to the report.
The sites in question may have employed loose password storage policies, including storing user name and password data in clear text, according to Shi Xiaohong, president of Chinese Anti-Virus company Qihoo 360. Chinese officials are urging the companies in question to start encrypting such information and to inform affected users about the breach and its security implications immediately.
Initial reports of the breach focused on the CSDN incident, which affected around six million users. Recent reports suggest the scope of the hacks is much greater and affects many more prominent sites.
Caixin reports that CSDN released a public apology regarding the incident, while Sina Weibo is claiming that they encrypt their users’ account information, and that the unauthorized accounts accessed within their network are the result of password sharing.
The incident, at least in terms of scope, is reminiscent of an attack on Sony’s PlayStation Network in spring of 2011. As is so often the case in large hacks like these, the range of affected services ends up going far beyond those that were actually hacked, due largely to the poor password management of users whose account information was leaked.