A massive leak of online user information has prompted widespread concern over Internet security in China
Millions of Chinese in the last week have rushed to change their passwords and online account details, after a huge cache of personal data from China’s most popular websites leaked onto the web last week.
Between December 21 and 26, hackers released the account information for more than 100 million Internet usernames, passwords and emails, spanning dozens of China’s most popular online shopping, microblogging, social networking and gaming websites.
Anti-virus company Qihoo 360’s Vice President Shi Xiaohong attributed the leak to companies neglecting to encrypt their users’ passwords and account information, Xinhua reported. Legal experts told Caixin that the massive leak also revealed shortcomings in Chinese internet security law and online ID theft protections.
The leaked files claimed to contain information from websites including the Internet forum Tianya (tianya.cn), the social networking sites Renren (renren.com) and Kaixin001 (kaixin001.com), the microblog platform Sina Weibo (weibo.com), the IT development site CSDN.net and online gaming sites like 17173.com and duowan.com.
It all started when Qihoo 360 revealed December 21 that a list of 6 million user IDs, passwords and email addresses from CSDN.net (China Software Developer Network) was circulating on the web. In the days following, lists containing the personal account details of users across dozens of websites emerged.
China’s Ministry of Industry and Information Technology (MIIT) December 28 denounced the slew of hackings, saying they “infringed on internet users’ legal rights.” MIIT said that it has put together a team and is liaising with companies to assess the situation.
Officials urged companies to immediately inform users of security breaches, and to use encryption to protect user information.
It is still unclear how the leaks occurred, or if they were coordinated. Legal experts said the incident exposed serious shortcomings in Chinese laws and regulations, which have yet to clarify what companies’ duties are when it comes to protecting user information.
Beijing Lanpeng Law Firm head Zhang Qihuai said there are currently “many holes” in the laws that could protect Internet users.
“Currently there are only ten laws and regulations, mostly pertaining to the information industry,” Zhang said, but because legislators have yet to clarify how exactly the general rules should be applied “it’s impractical to use them to protect users.”
Zhao Zhanling, legal counsel for China Internet Network told First Financial Daily that individual users may pursue civil compensation in court, but that it would be difficult for them to prove that hackers were to blame for their financial loses online.
CSDN.net has issued a public apology, urging its users to immediately change their passwords. Sina Weibo said the rumored 4.76 million list of Sina Weibo accounts were not from the company’s files, as Sina encrypts all its passwords.
But because some people use the same name and password for accounts across multiple websites, a small portion of Sina Weibo users may be at risk nevertheless, Sina said.
NetEase December 29 denied that hackers had obtained email usernames and passwords, saying it would investigate where the rumor came from. Sina Weibo’s anti-rumor team also refuted a widely-forwarded post that said hackers had released over 100 million bank card numbers from Bank of Communications and Minsheng Bank accounts.