On December 19, 2011, Gong Wei, known as the "Hacker Godfather" in China, published a Weibo post on his Tencent Weibo account, once again pointing out that the crisis of trust on the Internet was about to erupt. In the following 48 hours, the Chinese internet experienced the largest and most catastrophic security incident in history. Tencent Technology invited Gong Wei to provide an in-depth analysis of the incident from a professional perspective.
Gong Wei stated that the user accounts leaked by the hackers this time amounted to approximately 100 million user accounts and related password information. It is estimated that underground hackers have obtained even more internet user account information. The leaked and disclosed information is only the tip of the iceberg compared to the actual number of user accounts that hackers have obtained. It is estimated that nearly 400 to 600 million user account information is circulating in the underground hacker community (according to 2011 internet data statistics, there are 480 million internet users in China). The website data information leaked by the hackers this time is only a small part of what is circulating in the underground hacker community.
He revealed that a considerable number of websites store user passwords in plain text. It is estimated that about 200 million user passwords are stored in plain text. Over 90% of the remaining websites store user passwords using the publicly available MD5 algorithm. By using a simple rainbow table collision (a method of cracking encrypted passwords), encrypted stored passwords can be cracked in a matter of seconds.
The following is a basic timeline of the account leakage in this incident:
December 21: CSDN's 6.4 million user accounts, passwords, and email addresses were leaked by hackers.
December 22: Various well-known Chinese websites were completely compromised. The scope of the leak was extensive, and the leaked information involved many user-related businesses... A password security issue that swept across China erupted...
December 23: After confirmation, CSDN was leaked, Duowan was leaked, and Dream of the Three Kingdoms accounts were leaked through a Trojan horse. Some accounts on Renren were also leaked.
December 23: Netizens revealed that Tianya was compromised... The 7K7K package contained Tianya account passwords!!! Where is internet security???
December 24: 178 was compromised, UUU9 was compromised, the situation escalated...
December 24: Tianya was completely compromised, with leaked information involving up to 9 million accounts...
December 24: Netease Tumu Online was also compromised, with a staggering amount of data...
December 25: Baidu suspected of leaking account information from its account open platform...
December 25: Beijing Qilin Network Information Technology Co., Ltd. suspected of leaking Baidu and PPLive account information, and all of its own account information was leaked...
December 25: UUU9.COM was hacked twice...
December 25: The situation escalated, with Tianya suspected of leaking 40 million user data...
December 25: 178 was dragged into the leak for the second time, with 1.1 million data records leaked...
December 25: Muma Ant was exposed to encrypted user data, with approximately 130,000 data records...
December 25: Well-known dating website confirmed the leakage of 5,261,302 account information...
December 26: Myspace was leaked, Thunder successfully downloaded 3 leaked packages!
December 26: Ispeak leaked account information, verified! Please notify members to change their passwords!
December 26: Package 17173.7z circulating on the internet, 17173.0 contains 178 account information, 178 was tragically dragged into the leak 3 times.
December 26: Package 17173.7z circulating on the internet, 17173.3 contains UUU9.COM account information, leaked data is unknown.
December 26: Symbian smartphone website has a high accuracy rate of 70%!! Symbian smartphone website may be compromised.
December 27: Netease Tumu Forum analyzed passwords through collision, and all user information was confirmed! A total of 135 files, 4.31GB of data leaked, suspected to be on July 9, 2011, at 15:09:11 (a forum post was made, but the manufacturer did not respond).
December 27: 178.com completely compromised, with a total of over 11 million+ data leaked!
December 27: 766 verification leaked, with over 100,000 leaked data records!
December 27: ys168 verification leaked, with over 300,000 leaked data records!
December 27: Vancl 200,000, Dangdang 100,000, Amazon 200,000 user data verified leaked.
December 28: Pacific Computer leaked 2 million user data, including user accounts.
December 28: University database leaked, ID card information leaked, more sensitive content leaked by hackers, leaked data is unknown, can only be inferred from screenshots!
The following is basic information about the account leakage in this incident:
CSDN leaked a total of 6.4 million accounts, leaked information: accounts, plain text passwords, email addresses;
Duowan: a total of 8 million accounts leaked, leaked information: accounts, MD5 encrypted passwords, some plain text passwords, email addresses, Duowan nicknames;
178.COM: a total of 1.88 million accounts leaked, leaked information: accounts, MD5 encrypted passwords, all plain text passwords, email addresses, 178 nicknames (178 accounts are commonly used on NGA);
Tianya: a total of 40 million accounts leaked (estimated to exceed 40 million data), leaked information: accounts, plain text passwords, email addresses;
Renren: a total of 5 million accounts leaked, leaked information: plain text passwords, email addresses;
UUU9.COM: a total of 7 million accounts leaked, leaked information: accounts, MD5 encrypted passwords, all plain text passwords, email addresses, U9 nicknames;
Netease Tumu Online: approximately 4.3GB, 137 files leaked, leaked information: accounts, MD5 encrypted passwords, other related data;
Dream of the Three Kingdoms: approximately 1.4GB (stolen by Trojan horse), leaked information: accounts, email addresses, plain text passwords, character names, server locations, last login times, last login IPs.
Beijing Qilin Network Information Technology Co., Ltd.: a total of 9,072,966 accounts leaked, leaked information: accounts, plain text passwords;
Well-known dating website: a total of 5,261,302 accounts leaked, leaked information: accounts, plain text passwords;
Ispeak.CN: a total of 1,680,271 accounts leaked, leaked information: accounts, plain text passwords, nicknames;
Muma Ant: a total of 130,000 accounts leaked, leaked information: accounts, encrypted passwords, database sorting IDs, other information;
Symbian Forum: a total of approximately 1.4 million accounts leaked, leaked information: accounts, plain text passwords, email addresses;
766.COM: a total of approximately 120,000 accounts leaked, leaked information: accounts, md5(md5(pwd).salt) passwords, salt, email addresses, database sorting IDs;
ys168: a total of approximately 300,000 accounts leaked, leaked information: accounts, plain text passwords, email addresses;
Dangdang: a total of approximately 100,000 user data leaked, leaked information: real names, email addresses, home addresses, phone numbers;
Vancl: a total of approximately 200,000 user data leaked, leaked information: real names, email addresses, home addresses, phone numbers;
Amazon: a total of approximately 200,000 user data leaked, leaked information: real names, email addresses, home addresses, phone numbers.
Who is the mastermind behind all this? Gong Wei believes that in a sense, any security company could be a direct beneficiary after the incident. The first person to disclose the CSDN leak was an unknown technician from Jinshan, but this person was not the earliest owner of this data, and even with his own efforts, it would be impossible for him to have such a huge amount of data. It is obvious that commercial companies that have long been on the opposite side of hackers would not want to get involved in this mess caused by the incident's significant social impact.
He stated that from a technical analysis, one or several hacker teams could completely control this vast underground information. However, it is obviously of no value for them to disclose this information. Currently, no hacker team has disclosed any information about this incident. Leaking nearly a billion user data just to become famous is clearly not possible.
He believes that this information leak is a butterfly effect. When a part of the passwords is leaked, on one hand, the first thing users will do is to change their passwords for all their websites. On the other hand, for hackers, the user account passwords they previously obtained came from different websites. When hackers realize that their passwords will no longer have any value or meaning, they will entertain the public by sharing the data they have obtained, using the unique rebellious character of hackers to ridicule and mock these so-called portal websites. This is a chain reaction.
Industry chain analysis: Gong Wei said that the underground hacker industry is clearly divided into different segments. Once they obtain user account information (hackers commonly refer to this as "database brushing"), they will carry out a streamlined process of cleaning the database. A large group of people are waiting for these account passwords (hackers commonly refer to this as "database cleaning"). The first step of offline cleaning is to determine whether they can log in to nearly 500 large websites. Then, they categorize and differentiate the value of different accounts. For example, short QQ accounts (5 or 6-digit QQ numbers), systems with virtual currency such as Alipay, online gaming systems. Through the first round of cleaning, they transfer the most direct virtual currency or game accounts. The second team filters the user account information based on the cleaned database, saving some basic information about the users, such as password habits and answers to password recovery questions. Then, they use this information to try the users' other accounts and perform a second round of cleaning.
After obtaining the user account information of certain website maintenance personnel, their passwords are likely to be the maintenance passwords of certain websites. This provides hackers with more opportunities for intrusion. They will attempt to use these administrators' passwords to expand the scope of their intrusion (hackers commonly refer to this as "social engineering cracking").
Gong Wei stated that more industry chains are waiting for these database cleaning workers. User numbers are needed by user count, game operators need registered user numbers, and advertisers need user numbers. Database cleaners can quickly increase the number of registered users with demand in a short period of time, and they are all real users.
He revealed that what is even more terrifying is that based on the database, the social relationships of accounts can be determined. If a password database is only used by 5 people, then they are aliases. If an email suffix is only used by 30 users, then you are either friends or colleagues with a specific relationship. If an IP address has multiple accounts simultaneously posting Weibo, then you must be very close. If a password recovery question has the same answer and a repetition rate of no more than 10, then there is a connection between you. There are more hacker analysis algorithms, and they all have one purpose: this will be the beginning of the next industry chain, which can be fraud or extortion. Because they know all the secrets behind internet users.
He explained that even if all the value is eventually squeezed out, these accounts still have value. This information will be ruthlessly sold at a low price to groups specialized in sending spam emails and advertisements. Each click you make will bring them 1 cent of income.
Note: The industry chain part can refer to Tencent Technology's exclusive series of articles "Hacker Reveals Account Leakage: Privacy Sold Multiple Times".
Special thanks to the organizers of the COG forum and hacker veteran Gong Wei (Goodwill) for accepting an exclusive interview with Tencent Technology.