Chinese social media platform Weibo has admitted that the phone numbers of hundreds of millions of users have been put online due to a data breach in 2018, after a Weibo user’s post on March 19 tipped off the leak.
Yesterday morning, Weibo user Wei Xingguo, the co-founder of cybersecurity firm Moresec and previously a security director at Alibaba, posted that phone numbers, which can be tied to a user’s Weibo account information, have been leaked online. “I believe this includes celebrities, entrepreneurs and civil servants, including me, Weibo’s CEO and everyone,” he wrote, before deleting the post on the same day.
Weibo has 516 million monthly active users as of December 2019, according to the company’s earnings report for the fourth quarter of 2019.
Comments underneath Wei’s post partly verified this allegation, pointing to packages for sale on dark web marketplace claiming to sell 538 million accounts with numbers, of which nearly 172 million include additional account information such as Weibo activity, gender, and location.
The dark web is a part of the internet that isn’t indexed by traditional search engines and requires the use of anonymizing browsers to be accessed.
Weibo later responded to 36Kr regarding this matter, admitting that, at the end of 2018, there were users leveraging a built-in API illegally to match millions of Weibo accounts with linked phone numbers, then sell these online.
However, Weibo denied its service had been compromised. The company said that while Weibo allows users to find Weibo accounts using their phone contacts, this leak didn’t involve identity numbers, passwords, or other private data.
“After this incident, we reinforced our security strategy in a timely manner and will continue to strengthen it in the future,” Weibo said in the response.
One cybersecurity veteran told 36Kr that this data breach was probably caused by a feature, common on many social apps, that allows users to upload phone contacts to find people they know on the network. Attackers could fake contacts to obtain associated Weibo accounts.
While the Weibo leak allegedly includes no private information, its value lies in the fact it can be combined with other data, obtained and sold via various channels, to greatly compromise a user’s online accounts and identity.
Data leaks have posed a serious threat to online platforms around the world. Just last month, Twitter released a statement saying it discovered attempts by possible state actors to access phone numbers associated with user accounts.