Social platforms are one of the evergreen targets for cybercriminals. Whether it’s because they are immensely popular and have billions of active users, or because influential people can be easily reached and blackmailed through such platforms, hackers just love to delve into innovative cyberattack methods directed towards social media. Facebook, Instagram, Twitter, LinkedIn, and other similar websites also provide the opportunity for paid advertising, which can often reach millions of people thus offering a huge audience to the attacker. There have been reported cases, in which attackers have even distributed political propaganda within social media and gaming applications. What we’re getting to is: social media was, is, and will continue to be a desirable field for cybercriminals for all sorts of reasons.
It is not a secret that cyberattacks often aim to cause data breaches. According to the RiskBasedSecurity report, data breaches exposed 36 billion records in the first three quarters of 2020. And of course, we shouldn’t forget that social platforms also store massive amounts of sensitive data related both to the users and to the particular network as well. Furthermore, personal data was involved in 58% of last year’s breaches, as shared by varonis.com. Just a few months ago, a hacker who tackled a vulnerable feature of Facebook in 2019, leaked the personal data of more than 533 million Facebook users for free. As Business Insider shares, the exposed data includes the personal information of users from 106 countries, including over 32 million in the US, 11 million in the UK, and 6 million in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
So we shouldn’t be surprised that one of the biggest data breaches of the century was extremely similar to Facebooks’ sensitive data leak. It targeted the Chinese microblogging website Sina Weibo, which is often referred to as the Chinese Twitter.
The Sina Weibo Data Breach
At the end of March 2020, the former security chief of Alibaba Wei Xingguo announced via a Weibo post that the personal data of more than 538 million of the Twitter-like platform users, including his own, was compromised and leaked online. The breach included details such as real names, usernames, user IDs, number of Weibo tweets, number of followers and accounts users are following, gender, and geographic location. Fortunately, no passwords were leaked, however, this does not mean that the exposed information could not lead to scams, fraud, and other types of impersonation attempts.
To make things worse, the sensitive information of 172 million of all compromised user accounts was sold on the dark web for as little as 1,799 Chinese Yuan or approximately 250 U.S. dollars, as Security Boulevard shares. It isn’t hard to believe that the incident resulted in negative public outbursts and was covered by a number of Chinese and international media.
Sina Weibo’s Official Statement
On the 21st of March last year, Sina Weibo posted an official statement in regards to the breach. The company acknowledged the incident as a severe one and expressed its beliefs that the breach is a result of a so-called dictionary attack. A dictionary attack is a form of brute-force attack which aims to guess a password or another security code by trying thousands or millions of likely possibilities. For example, previously used passwords or lists with key phrases, which are usually obtained from past security breaches.
Sina Weibo claimed that back in 2011 the company introduced a special service that enabled users to look for other Weibo accounts by matching them to the list of their smartphone contacts. However, the company clarifies that users could only gain information about a given number-related account name. In the same statement, Weibo assured users that their passwords are protected with one-way encryption and are not stored as plain text. The company warned users that although their passwords are safely stored, their Weibo accounts could still be stolen in case their password is used for multiple platforms and websites.
Additionally, according to IT Pro Portal, Sina Weibo stated its engineers had identified certain accounts that tried to upload large batches of contacts in late 2018 in order to match them with phone numbers held in the database. It’s interesting that the attack allegedly occurred in 2018, but it was either not noticed for a couple of years, or the information about it was simply silenced. Furthermore, Sina Weibo’s statement is not particularly convincing, because it contains contradictory points. The company claims that passwords were not leaked, however, implies that the attack was initiated because hackers were able to obtain users’ passwords and thus gained access to the leaked information (usernames, gender, location, etc.). As tesonet.com shares, Chinese security experts also detected technical irregularities with the company’s claims. A definite conclusion hasn’t been reached yet and the question of how the data was obtained is still up for debate.
Weibo’s Director of Information Security Luo Shiyao also commented on the attack, downplaying it as cited by Security Affairs:
“Phone numbers were leaked due to brute-force matching in 2019 and other personal information was crawled on the Internet. When we found the security vulnerability we took measures to fix it. We also reported to the police as soon as possible and submitted related information to them. Besides, we have been investigating the ‘gray industry’ because we take user personal information very seriously, especially when the personal data contains phone numbers. Don’t be credulous. Both password fields and Know Your Customer (KYC) data fields are not shown in the description. Don’t worry too much. Good night.”
The Consequences of Sina Weibo Data Breach
Soon after the breach was announced, China’s information technology regulator summoned Sina Weibo for a face-to-face meeting over the leak. The Twitter-like platform was obliged to enhance its internal data security management and eliminate further risks. As yicaiglobal.com shares, the Chinese Ministry of Industry and Information Technology issued a press release which confirmed that Sina Weibo has taken action in response to the information breach, such as updating its interface security strategy. However, there is no official information about whether Sina Weibo was fined because of the breach or not. As varonis.com shares, usually, the average cost of a data breach is $3.86 million as of 2020.
Even if the company hasn’t been fined yet, it did suffer reputational damages which resulted in a decrease in Sina Weibo users. As reported by China Internet Watch, users now are 4% less than the same period last year. The average daily users also suffered a 5% year-over-year decrease.
While your organization may be protected against cybercriminals, the third-party website you use may still propose risks for you and for your company. Cyberattacks on social media can compromise your company’s data if you have created an account for your business. However, you shouldn’t let fear stop you from growing and expanding your organization.
Stay safe by having a thorough cybersecurity program with clear response plans in place. If you need help with keeping your organization safe in the cyber world, don’t hesitate to contact us. 3Cyber-Sec is a boutique cybersecurity consultant that protects its clients from cyberthreats by crafting tailored security solutions. We use a unique collaborative approach to guide our clients throughout their cyber journeys safely.