JD’s Data Leak Reveals A Black Industry
The thing is, data leak is not really something can be fixed by technological means. Besides technologies, we should also keep the worst of the human nature at bay.
Recently the 2G data package has gone viral in the black market. It contains thousands of thousands of user data, including personal information such as the user name, password, email address, QQ accounts, phone numbers, and ID numbers etc.
The sellers and buyers in the black all claimed that: “These data are all from JD.”
The mystery of data
Without a doubt, the black market is once again stirred up by this 12G data package.
The data package has been sold via underground channels at the price from ￥100,000 to ￥700,000.
According industry insiders, the data package has been sold for many times. “It’s estimated that over one hundreds hacker industry insiders have got their hands on the data.”
“The data has been leaked for a very long time. It’s unknown how it suddenly got out again and now,” the industry insider revealed, saying that for now it’s very hard to tell whether it’s a work of a mole or due to a hacker attack.
According to insiders, after getting most of the data, hackers would try to loot anything valuable from the information first, such as the virtual money on some gaming accounts. Usually this process would take up months or even longer.
In general, they would sell the data after the first looting. “The value of the data has been exhausted, so it’s time to just sell the data to the market and let others have the rest.”
It should be noted that the password in these account data were encrypted by MD5, and it would need professional decrypting software to crack the password out.
“It takes lots of time to crack MD5 encryption. But some passwords have already been cracked by others, so it’s super easy to do so. For instance, some have the passwords changed to 123456. But if it’s a new password it would take longer time.”
Accounts that can be cracked instantly take up 3–5% of the whole data set.
After logging in, hackers can have access to users’ address, order history, and transaction information etc. Even our journalist at Yibencaijing found his own information in the data base as well. That said, his information is also leaked.
“Once hackers have these data, then they can hit the library,” insider said. Hitting the library is a term used in the hacker industry. It means hackers would use the leaked user name and passwords to log onto other sites to harvest data.
This is a common thing among most people: Most people use the same user name and password for different sites. This makes the success rate of hitting the library higher.
The most terrible damage comes from financial accounts as hackers can transfer mass amount of money away.
JD claims that the leak actually took place in 2013 and has made an apologetic statement. They attribute it to a security loophole in Apache Struts 2, an open-source web application framework used widely by Internet companies and governments. JD claims to have notified at-risk customers to update their accounts after detecting and closing the security holes. Most of the affected users have updated their accounts, according to the announcement. However, the firm acknowledges risks remain for a small portion of users who haven’t updated their account.
Not the first time
However, this is not the first time that JD.com users have had their private information at risk. Aside from anything else, hackers are not the only hand behind the scene.
Another information leak at JD.com occurred in 2015, leading to a total loss of millions of RMB to several JD.com users. A year later, it was found out that the criminals were three JD.com logistics employees who got their hands on 9,313 pieces of user information during work.
The e-commerce platform has always been the frequently targeted sector of data attack.
In early 2014, it’s reported that 20G data containing user information on Alipay were leaked. After investigation, the leak was also due to a mole called Li Ming, who abused his position and downloaded user information via the company’s background system for several times. The information provided by the 20G of data are extremely detailed, including users’ real name, phone number, email address, home address and consumption record etc.
Li Ming and his two collaborators sold the user information in pieces at different price. The most expensive one was as high as ten RMB. Some unknown buyer actually paid ￥500 for 30,000 users’ information.
The interesting part is, these buyers are actually other e-commerce platforms.
Besides Alipay, YHD.com’s data leak in 2012 was also due to some relieved staff. Eventually 900,000 users’ information were leaked and were sold at ￥500.
From this perspective, moles are a very important factor that contributes to data leak. Aside from that, due to technological loopholes, e-commerce platforms are also in some way vulnerable to cyber attack from the hackers. It’s very common for them to have data leak.
The year of 2014 had been the most serious year.
In March, 113 users’ account balance on Dangdang.com were stolen.
The hackers first stole users’ user names and passwords then changed the linked phone number and email address etc., then purchased expensive electronic products.
Dangdang ultimately compensated the users under the pressure from the public.
Within the same month, WooYun reported Ctrip’s loopholes, which could lead to the leak of user name, ID, bank card information including password etc.
Later Ctrip made a public statement and confirmed 93 users’ accounts are at risk ad that they had notified related users to change their credit card.
At the end of the year, six sub-sites of the official train ticketing site of China, 12306.cn, also had highly risky loopholes that led to the leak of data of hundreds of thousands of users’ information, including user name, password, ID, email address etc. 12306.cn now offers reward to those who can find loopholes on 12306.cn’s site.
Whether it’s the moles’ doing or attacks from the hackers, they are all driven by the interest.
Without a doubt, there is an underground data market.
In general, information leak can be divided into two categories:
User information, including names, ID, phone numbers, home address, office address, email address, password, online and offline purchase record, medical record etc.
Online activity information, including phone record, online purchase record, web browse record, IP address, and geo-location etc.
Through these sets of data, there are 200 perspectives to know a person. The data base could even know you better than yourself. These leaked data eventually fall at the hands of the criminals and become their tools for their private gain.
This year, People’s Daily reported that 78.2% of the netizens’ personal information have been leaked and 63.4% of netizens’ online activity information have been leaked. In addition to that, 82.3% of the netizens have felt the impact of information leak in their everyday life.
The paws of the black industry have reached the lives of people and we can see it pretty much anywhere.
In 2015, the economic loss in China caused by information leak was ￥80.5 billion according to open data.
As a matter of fact, the rise of big data has further boosted all sides’ demand for data, which also accelerates the growth of the black industry.
Yibencaijing once investigated the black industry chain for the story and found that the number of data brokers even reaches over tens of thousands. Every transaction of the data could reach the scale of ten thousand to one million RMB. It’s very likely that the scale of the black market has already hit over one trillion.
Users’ privacy and information have become commercial items flowing on the black market. We all know what this means.
But the thing is, it’s not really something can be fixed by technological means. Besides technologies, we should also keep the worst of the human nature at bay.
JD’s statement on the data leak:
Recently, the mass media reported the data leak of JD. And after investigation conducted by JD Information Security Department, the lead was caused by the security loophole in Apache Struts 2 in 2013, an open-source web application framework used widely by Internet companies and governments. We have notified at-risk customers to update their accounts after detecting and closing the security holes. Most of the affected users have updated their accounts. However, a small portion of users who haven’t updated their account.
We highly recommend users to raise awareness of cybersecurity and privacy protection. Do use uncommon user name and password for accounts that involve payment on e-commerce platforms. It’s important to enhance the complexity of the password so as to keep your account safer.
Meanwhile, JD has established long-term and effective cooperation mechanism with the police to fight underground black industry, hackers who steal user information, and information brokers that sell and buy user information.
[The article is published and edited with authorization from the author @Yibencaijing, please note source and hyperlink when reproduce.]
Translated by Garrett Lee (Senior Translator at PAGE TO PAGE), working for TMTpost.
Originally published at www.tmtpost.com on December 15, 2016.