Millions of passwords stolen through maneuvers such as 'database sweeps' point to Internet security and legal lapses in China.
Panic rippled through China's web community in December on reports that hundreds of millions of secret passwords from China's most popular websites had fallen prey to hackers.
Web users shuddered almost daily with news of another breach: One day came word that hackers had obtained 40 million user passwords from the popular opinion forum Tianya. Later, it was reported that customer names, addresses and phone numbers had leaked from the retail site 360buy.com.
The fuse that sparked what the media dubbed "Leakgate" was a hack attack on the website of the China Software Developer Network (CSDN), which compromised about 6 million usernames and passwords.
The next day, the technology-geared Moonlight Blog said more than 8 million usernames, passwords and email addresses linked to the gaming site Duowan.com had leaked.
Even government websites were compromised. One particularly stunning revelation was that data files from the Guangdong Province Entry and Exit Administration had been hacked, giving thieves access to 4.44 million foreign travel applications including names, birth dates, phone numbers and passport numbers. The stash included entry permit numbers for mainland travelers to Hong Kong and Macau.
Millions nationwide rushed to change their passwords and other online data. "Have you changed your password?" was a question posted over and again by the nation's throng of microbloggers.
Soon, the central government had mobilized forces to defend Internet security.
An emergency meeting called by the Ministry of Industry and Information Technology brought together officials from government agencies, dotcom companies and Internet security firms to study the leaks and find solutions.
One study by the state-run China National Computer Emergency Response Technical Team concluded 26 databases had been breached, putting about 278 million usernames and passwords at risk.
In the wake of Leakgate, businesses vowed to tighten online security and experts called for China to plug holes in consumer protection laws. The nation's hundreds of millions of Internet users, meanwhile, are now more cautious than ever about online security.
Facts and Rumors
A few weeks after the first reports, the government softened its tone. Leakgate was overblown, declared the State Internet Information Office (SIIO), the online content regulator. In most cases, officials said, hackers had simply guessed at passwords and usernames for targeted databases but failed to access accounts.
And some purported attacks had never happened.
From the start of the Leakgate phenomenon, officials determined, facts about genuine attacks were mixed with rumors and exaggerations.
Tianya spokesperson Chu Meng confirmed a leak of about 40 million client usernames and said police had been notified. CSDN confirmed its data breach as well and urged email users to change passwords. Guangdong authorities likewise confirmed the theft of exit-entry application data.
But the e-commerce payment service Alipay said none of its customers were in danger, and book retailer Dangdang.com said the vast majority of users had been spared during its data leak attack.
Officials at Bank of Communications, China Minsheng Bank and social network operator Renren bluntly rejected rumors of separate attacks on their websites that had allegedly affected a combined 155 million accounts.
Some criminals apparently took advantage of website and Internet user fears about password theft. A SIIO investigation of a security threat aimed at 360buy.com found a 35-year-old man from Shaanxi Province had tried to blackmail its operator, demanding 2.7 million yuan to stop a planned data attack. But the man's claim was hollow, SIIO said, and Jingdong never paid.
Nevertheless some website operators that lost data, such as CSDN and Tianya, have yet to announce the results of their Leakgate investigations.
Ma Jie, CEO of web security provider Anquanbao.com, said databases can be robbed in a variety of ways. "It's just like a house. You can come in through the window, pry open the door, climb down the chimney, or even dig a tunnel to get in," he said. "The only question is how much time and effort hackers are willing to spend."
Hackers who infiltrate a server can steal information by "sweeping a database." Data is then shared with other hackers and spreads throughout the hacker community or sold, said leak reporting platform WooYun founder Jian Xin.
The compromises that came to light during Leakgate apparently involved databases that had been hacked for data that was shared years earlier, but suddenly became more widely available on the Internet in December.
Lu Yanhui, a consultant for the network security company TOPSEC, said he'd heard about leaked databases circulating in hacker circles as early as 2008. A post-Leakgate probe by CDSN determined its database had been in the hands of hackers for a long time. And according to Zou Xiaobo, technology director at TOPSEC's Chengdu branch, many insecure website servers had been infiltrated and pilfered in the past.
"These databases had already been circulating among hacker circles over the past few years," said Ma. Leakgate "was nothing more than a concentrated explosion" of data he blamed on an accumulation of "Internet business security problems."
"It was only a matter of time before the problems came out," Ma said.
Transactions involving stolen databases, including those lifted from major websites, have climbed in recent years. A single database can fetch 1 million to 10 million yuan, said Li, sometimes paid by a competitor of the breached company.
Other hackers may exploit the tendency of less cautious Internet users to use the same names and passwords for several websites, said a security source.
Some hackers use data gathered to test their luck on sites that use virtual money, such as gaming sites, or to break into online bank or retailer accounts. Others sell databases to marketing companies for advertising, spam emails and junk text messages.
Lu said the hacker community had previously passed around and squeezed the value out of the information gleaned from the websites cited during the Leakgate scare. Indeed, he thinks some hackers who released databases recently may have been simply showing off and gloating over their technical skills.
"Many hackers don't announce when they've stolen databases," Lu said. "People in their circles know what's been breached, but they don't necessarily publicize the information. They just flaunt what they've done by circulating it in small circles."
Still, the leaks made it clear that many websites have deep-seated security problems. One reason, said TOPSEC Vice President Liu Hui, is that too many website operators sink most of their money into daily operations but overlook security and prevention measures.
With more Internet users accessing online shopping and social media sites, Ma said, "the value of information contained in website databases is increasing. But security and prevention measures have not been strengthened."
In the past, hackers commonly planted so-called Trojans on Internet user computers and used "phishing" to log on to a bank websites and steal money. But free and widely available anti-virus software crimped these practices, prompting a shift to database sweeps.
It doesn't help that website operators sometimes call in Internet security experts only after their web designers finish work – and that's too late.
"A programmer for a B2C website might spend several months creating a system," said Li Tiejun, an anti-virus software engineer at Kingsoft Corp., a software developer. "Once he thinks there are no problems, he then hires a security professional to find weaknesses. Then the security professional breaks into his system in less than 10 minutes."
Leakgate also raised doubts about the safety of the Chinese government's decision last fall requiring microbloggers in major cities including Beijing, Guangzhou, Shanghai and Shenzhen to register for the services using personal identification. The rule has sparked debates over its possible effects on rumor-mongering and free speech.
Requiring users to register their real names is quite dangerous" because "Internet data and personal information are closely linked, and there are no security guarantees," said Zhou Hanhua, a researcher at the Chinese Academy of Social Sciences.
Even the government can be at risk. Notably, SIIO's announcement playing down Leakgate did not mention the Guangdong data breach.
"Nobody knows how to safeguard his or her rights" when data leaks happen, said Zhou. "All anybody can do is to watch it happen and wonder when it will happen again.
"Our problem is that we don't have effective measures to cope with the problem, and we don't have any applicable laws."
Zhou said a 2009 criminal code amendment aimed at hackers is too vague. It says anyone who "invades a computer information system to steal data shall be subject to criminal detention or imprisonment of up to three years. If the circumstances are extremely serious, the perpetrator shall be sentenced to imprisonment of up to seven years."
The law falls short because, Zhou said, in part because it does not define "serious circumstance." Neither do China's laws set legal responsibilities for companies that collect personal information.
Liu Deliang, a professor and director of the Asia-Pacific Institute for Cyber-law Studies, said the commercial value of personal information is growing with use of the Internet. And as moneymaking potential climbs, he said, website users can expect to see more illegal collecting, processing, sales and commercial abuse of personal information.
Can China strengthen its legal firewall against personal data dangers on the Internet? Perhaps. Some government agencies have reported progress in plugging data leaks and nabbing hackers.
In its January 10 announcement, for example, SIIO said police had detained four people for fabricating news or promoting rumors about password leaks.
But major challenges remain, a fact underscored by cases such as a report filed recently by a financial crime investigator with the police in Shanghai.
In the case, several million yuan was stolen from a personal bank account. Police found the basis for the theft was a criminal team's access to personal information from millions of auto owners. Some data had been stolen by website hackers, and some collected by workers at banks and insurance companies.
The hackers got accomplices inside banks to compare auto owners' data with account names and identification card numbers. Special software was used to guess passwords that could be matched with account holder names until, eventually, the millionaire was found and robbed.