Personal information of more than 500 million Weibo users has been found for sale on the dark web, as reported by ZDNet and Chinese media.
The bad actor claiming to have breached the famous Chinese social network last year posted ads touting the stolen goods, including names, usernames, gender, location, and the phone numbers of 172 million users. Curious how much the data is worth? The perp is offering it for 1,799 Chinese Yuan or 250 U.S. dollars.
Although passwords are not included, this does not mean that the leaked accounts are not susceptible to additional breaches as well. Most online users re-use passwords when setting up accounts, and threat actors may corroborate data from other data leaks to launch new attacks.
The company explained that, since 2011, they implemented a service that allowed users to seek out Weibo accounts using the contact list from their phones, and this leak did not involve passwords or other private data.
In another report, Weibo denies any security incident, but admits that, in 2018, some users were exploiting a built-in API to match Weibo accounts with linked phone numbers and then selling them online.
The social media platform also claims that one-way encryption is used, and no user passwords are stored in plain text. The company considers this security incident severe and will continue to strengthen security policies, while investigating the allegations with local police.
Any security incident or data breach can have serious consequences for victims, especially when personal identifiable information is implied. Bad actors can use the stolen data in many ways such as personalized phishing emails, account take over, identity theft and fraud.