CSDN, Tianya, Renren, Kaixin Hacked, 6 Million Users’ Privacy Leaked
It is reported that the personal information of over 6 million users on CSDN was leaked almost in one night. Many famous national Internet companies such as Renren.com, Duowan.com and Jiayuan.com were involved in the hacking case. The stolen information might be sold or used to seek profit by cheating and advertising.
6 million user’s information being stolen
The leaking was first appeared in China’s largest programmer’s website, CSDN or China Software Developer Network. On 21st, hackers exposed users’ database from CSDN including more than 6 million registered email address and corresponding password in clear text. Because many users applied the same ID and password, lots of websites were soon involved in the case including Renren.com, Kaixin.com, Baihe.com, Zhenai.com as well as Jiayuan.com, 51CTO, CNZZ, eNet, UUU9, Duowan.com and Moco.cc, which was believed to be the largest information leaking cases in the history of China’s Internet development.
What made it weird was that the 6 million leaked passwords were in clear text, i.e. passwords that could be directly read without encrypting. While in general, when users register a website, the passwords they are typing would be replaced by *. At the same time all websites claimed that they will highly encrypt their background. It is said that CSDN contains over 90% outstanding programmers of all around China. Then how to explain those clear text passwords? There is still no response.
“There are still no enough security awareness for websites,” Li Tiejun, the expert of Kingsoft said, the encrypting technology have been mature enough but since hackers had already collected lots of passwords in clear and cipher text and had established a large database (an online passwords dictionary), “some simplest strings of characters were added to the dictionary thus could be cracked immediately.” It is said the rate of success is up to 93%.
One data packet worth in million
In response, official of CSDN issued a statement on 22nd, saying the CSDN’s user data bank that leaked on the Internet was created before April 2009 as backup. The reason for leaking was still not clear and CSDN has reported the case to public security organ. CSDN required users who registered before April, 2009 and meanwhile never changed their passwords afterwards to change immediately.
But people in security sector guess that the exposed data might only be a small part and more data may have been sold by hackers. One said these data was worth of millions in the black market in the circle of hackers. People would use the information in cheating or buy out competitors’ user source; some may send advertisements or junk mails to seek profit, and finally be exposed once the information become worthless. But users were completely kept in dark during the whole time.
2.39 million people have same password
After the exposure of users’ data, as statistics shows, 2.39 million users’ passwords were found to be the same as others. Among all the passwords, “123456789”, the simplest was found the most popular, with 235 thousand people using; the second popular was “12345678”, applied by 210 thousand people; “11111111” used by more than 70 thousand. In a word, there are a large amount of people using passwords making of same letters or characters such as “aaaaaaaa”, which are very weak in security.
Li Tiejun pointed out that many netizens use only one single address in all websites. Once users’ data of one website exposed, all their personal information such as email, chatting records and microblog could be leaked. “Some email addresses in this list are connected with online payment system,” Li suggest that netizens should change their passwords at once to more secure ones to avoid property loss.
How to protect online privacy
Cases as the leaking of users personal information appeared one after another, which tolled the bell of online privacy protection. Some observers questioned that even a programmers’ website with over 20 million users was cracked, would there be any websites that are trustworthy? What if the information be exposed again a few days after changing the passwords?
In fact, sometimes when users register a website, they are only providing their information on their own side, whether the website has a protection system or not is a question. And would websites, drove by profit, provide users’ personal information to a third party with no legal ground? What would the third party do to their information? Who should take the responsibility when the information leaked, and how many responsibility could they take? These are all where legal risk lies.
People of legal sector disclosed that the key point is that there’s still no corresponding law. In present practice, if users claim compensation only for leaking of passwords or invasion of privacy right, they would find it hard to win because of the difficulty in providing evidence. However, enterprises, on other side, own a large amount of users’ information; they could give them to whomever they want, while users have no right to question, which makes it a big risk.