Millions of Weibo user data are currently available for sale on the dark web said ZDNet. The tech media outlet came across advertisements while browsing on the dark web and “other places.” The ad claimed that a hacker breached the Weibo database in 2019 and stole the 538 million user data. The ad is selling the info for $250.
ZDNet said that the data includes names, usernames, location, gender and phone numbers. The report also noted that the selling price is low because passwords were not included.
Weibo denied any request for comments from ZDNet. When the company released a statement to the Chinese media, the tech media outlet noted that it was “confusing.”
According to the statement, the phone numbers were obtained toward the end of 2018. Their team detected the hack when their system was bombarded with contacts trying to match accounts with phone numbers. The Chinese social media company said that passwords are not stored in plaintext which means that they are safe.
Cybersecurity experts from China identified the veracity of Weibo’s statement. They identified “technical irregularities” with the explanation, especially with the source of the data. According to these specialists, the ad indicated that the data was obtained from an SQL database dump. This does not match the explanation that the data was acquired through API matching.
The experts also pointed out that the statement failed to clarify how the other information was obtained. This includes gender and location, which could not be acquired through API.
Theories abound as to how the hacker was able to obtain such info. Theories of password spraying and credential stuffing were rejected as the data did not include passwords.
ZDNet also noted that the hacker used the handle “@weibo” in some ads. The seller also provided sample information which was confirmed as true by some users.
Weibo’s Security Director Luo Shiyao said that the security community is “overreacting” with regards to the hacking, reported Pandaily. In Luo’s statement, he said that “phone numbers were leaked due to brute-force matching in 2019 and other personal information was crawled on the internet.” The director also noted that they took immediate action to fix the issue once they were made aware of the attack.
Pandaily noted that Luo’s statement has since been deleted.
Meanwhile, the company’s statement released to the Chinese media said that it has notified the government about the incident.