On the morning of March 19, a Weibo user named "Safety_云舒" reposted on Weibo: "Many people's mobile phone numbers have been leaked. You can find their mobile phone numbers based on their Weibo account... Someone has passed Weibo. I leaked and found my mobile phone number, and came to add me to WeChat."
Then, the netizen further stated in a message on Weibo that he found through technical inquiries that many people’s mobile phone numbers had been leaked, and many of them were involved. Weibo certified stars, officials, and entrepreneurs. "Lai Zong's mobile phone number was also leaked, I checked it last night." ("Lai Zong" refers to Weibo CEO Wang Gaofei)
is on the Weibo homepage of the netizen "Security_云shu", his personal introduction is " Founder and CTO of Moan Technology", former director of Alibaba Group Security Research Laboratory. 36 Krypton sought verification from Moan Technology's official website and proved that the above information is true. "Security_Yunshu" is indeed Wei Xingguo, CTO of Moan Technology, and "Yunshu" is its name in Alibaba.
Under Wei Xingguo's Weibo, there are still netizens who continue to leave messages saying that they are suspected of having suffered a data breach, and most of the leaked information is their mobile phone number. Some people even sent screenshots of suspected Weibo personal data packaged and sold at a price of 1799 yuan.
Subsequently, Luo Shiyao, a netizen on Weibo who was certified as "Weibo Security Director", replied in Weibo: Thank you for your concern. Every time someone sells (data) online, it will cause a wave of public opinion every time. I didn’t want to In response, this Weibo will be used in the future.
36氪 asked Weibo for verification on the "data breach", and the other party stated that they were understanding the situation internally.
Regarding the cause of the data leakage, according to Wei Xingguo's statement on Weibo, this incident was probably due to the fact that Weibo was "swept away some data" through the interface in 2019, rather than the so-called "data dragging database". The so-called data drag database in
refers to a very serious accident in the security field after hackers steal the database and take away all data and information after the website is invaded.
"A company as large as Weibo is unlikely to be invaded by hackers on a large scale, and what they encounter should not be dragging the library." A senior in the security field told 36 krypton. According to the analysis of the above-mentioned persons, there are two possibilities for such a data leakage phenomenon, one is "crashing the database" and the other is "water leakage" in certain businesses.
Among them, "leakage" refers to the small scale of some non-core business teams of the enterprise, and the business is not built in accordance with the unified and standardized process, so there are risks, such as failure to isolate key data, fail to perform hierarchical control of permissions, and fail to do well in data Encrypted storage, etc.
"Bumping into the database" is a common method of reselling data on the black market. Many people like to set the same password for different websites. Once your password is obtained by a hacker on a website with weaker network security, the hacker can use the password to test other websites in a loop. This method is called "crashing the database". .
"Most of the personal information data leakage is at the application layer/business side. One is a large number of internal business employees who need to access data in business, and the other is an interface that is exposed to the outside or an interface to partners." Domestic cybersecurity experts further stated to 36 Krypton that he clarified the possibility of the accident from another angle: the personal information data leakage of
on Weibo was most likely caused by the address book friend matching attack. Many social apps have the function of matching friends through the address book. The attacker can forge the local address book to get the association of the mobile phone number to the Weibo user account. For example, first forge the phone number from xxxx00001 to xxxx010000 to match a friend in the address book, then forge the phone number from xxxx010001 to xxxx020000 to match the friend, and keep enumerating, then the relationship between the Weibo id and the phone number can be associated.
"It is recommended that large companies turn off the address book matching function as much as possible. If it is turned on, various data leakage monitoring and flow control/risk control measures must be performed on this interface." The above-mentioned person said to 36 krypton. The data breach of
has become one of the typical stories of the Internet industry. In November last year, Twitter used the address book matching function to obtain data leakage of millions of Twitter user accounts and mobile phone numbers, and then Facebook shut down this function. A well-known data breach in China is the "CSDN millions of users information leak" in 2011. Back then, a hacker published a well-known programmer website C on the InternetMore than 6 million plaintext email accounts and passwords in the SDN user database were leaked.
cover image source: pexels
-
-
-
-
-
-
-
-
-
-