Last week, China was rocked by the news that more than 500 million user accounts at Weibo, one of its biggest social networks, had been breached. With as little as 10 RMB ($1.60) worth of ETH or BTC, anyone can now purchase the private data of Weibo users, the Chinese equivalent of Twitter.
If the news stories last are to be believed—and I do believe them—the scale of the breach is unprecedented. Supposedly, the account data is being traded on social networks. (See screenshot below.) That leaked data includes phone numbers, locations, number of followers, gender, and most importantly, passwords. (Not all bad news, though: Supposedly one user was able to retrieve his lost password through this method, I’m told).
A WeChat screen grab showing Weibo user data for sale.
In this week’s da bing, we look at the story behind the data breach—and why the Chinese crypto community cares so much about it.
Chinese hack attacks
Data breaches are as common in China as they are everywhere else in the world. In 2011, the popular site CSDN (China Software Developer Network) was hacked, resulting in some 6 million users losing their data to the bad guys. That was nothing compared to 2018, when the data of more than 130 million hotel guests was suddenly for sale on the dark web for a mere 8 BTC (which was then around $56,000). More recently, a whole industry has arisen around selling celebrities’ personal information. You can buy Chinese stars’ phone numbers, travel agendas, even their national ID. Prices range upwards from $20 to buy your own piece of the “dark Idol Economy.”
But last week’s breach was breathtaking in its scope, even for China. “Weibo’s data leak is insurmountable because of its scale and depth,” Yao Xiang, a security expert based in Shanghai, told me. “Not only were most users affected, but also the type of data that is being leaked is dangerous. After all, this is sensitive information, such as passwords and national IDs, the official ID of every Chinese citizen that’s supposed to be kept private.” National IDs are similar to passports; you need one to board a flight or get a hotel room.
Weibo says no massive breach
For its part, Weibo denied that there was a massive breach, and said that it was untrue that all 500 million users were compromised. In its response to 35kr, a Chinese tech site, Weibo said what problems it had stemmed from a 2018 security loophole. It claimed that hackers successfully uploaded batches of phone numbers and identified Weibo nicknames associated with those numbers and sold them on the dark web. “No national ID, password [breach], or damage to Weibo’s functioning” claimed the company.
Given the vast amount of data that appears to be available, security experts, such as Xiang, as well as most Weibo users are skeptical. “It could be an API issue, or an internal risk management issue,” he mused. “What’s plausible from the incident is that Weibo does not follow the common practice of hashing users’ data into an unreadable format, as per government’s request.”
“If you don’t like someone, you just expose all their privacy under the sun.”—Marvin Tong, hacker victim.
Indeed, Chinese tech companies such as Weibo have very different security standards. According to Chinese cybersecurity law, password management is not a private matter but “governed by the Party.” Backdoors are a common practice and people seem to be mostly okay with it, knowing that only the government would have access to their intimate information.
How the crypto circles reacted
But now the tide has turned and their data is exposed under the sun on the dark web.
The news has stirred crypto circles in China, for two reasons. First, the payment method is, unsurprisingly, in BTC. According to Suji Yan, founder of Maskbook, free software that allows people to encrypt their posts and chats: “Many crypto folks in China have only heard of using crypto to buy personal data. But to be frank, not many have done it. The news opens the floodgate.”
Second, for a community that cares about privacy, the data breach is a stark example of a failed centralized data system. Weibo is like an inferior cousin of Facebook. Yes, like most Chinese tech companies, it’s a centralized machine that tracks users’ data. But Weibo also serves as the government's kudgel, censoring opposition voices, including the first tweet that exposed the data leak.
Weibo’s failure to protect user data has become a very public, powerful argument for the importance of decentralization and anti-surveillance. It could have helped people understand some of the privacy-protecting uses of blockchain technology—which the Government opposes.
Top 3 other things that happened
#1. TokenMask: catching the Covid-19 fad
You know it was only a matter of time before someone tokenized masks (yes, surgical masks) on the blockchain. Under the name of charity, the project “TokenMask” announced that it will launch token sales on two Chinese crypto exchanges, simultaneously.
Claiming to be backed by 136 charity organizations around the world, TokenMasks aims to build a globally distributed charity donation platform, to balance the supply of masks in those areas that have been heavily-infected by Covid-19. The project has also embraced the latest blockchain use cases, such as “digital identity, smart donation, on-chain information sharing, and donation guarantee.”
How can a token project solve the western world’s mask shortage? No idea—TokenMask doesn’t provide an answer.
I can’t find out anything about its founding organization, the "British Dawning Organization." Googling the NGOs who are listed as part of the alliance discloses little, and some don’t even appear to exist. And the way this thing is being marketed in China—on third-tier exchanges, via token airdrops and multi-level rewards—seems suspicious. I reached out to the organization with a number of questions, but have yet not heard back.
#2: Yunnan, the peacock & blockchain province
China has 23 provinces and many of them have announced some sort of blockchain strategy. The latest addition is the province that’s famous for its industrial Cannabis farms and beautiful peacocks: Yunnan.
On March 17th, Yunnan unveiled a new science and technology industrial park. Two dozen blockchain companies became the first batch to settle in. The goal of the park is to establish a new “experimental ground” for blockchain’s industrialization in the province.
On the same day, Yunnan also unveiled its state-wide official blockchain platform. The platform will be used for logistics, to track and trace Yunnan’s top 10 organic foods, industrial cannabis, and cross-border e-commerce transactions, among other things.
To stand out from the other provinces, Yunnan also unveiled a peacock trademark. There wasn’t a lot of information about how the trademark will be used on the blockchain platform. But the state media said it would help track and sanctify the provenance of the region's "Top Ten Famous Products."
An logo for an older, apparently defunct Chinese Peacock Brand
It’s worth noting that Alibaba is among the companies in the industrial park. Its subsidiary, Alibaba Cloud, is the brain power behind the design of Peacock Trademark. More evidence, as if any were needed, that the tech giants are increasingly offering services to local governments that are racing to put products or services on the blockchain. A win-win for both.
#3: Tech firms and their blockchain product strategy
Speaking of big tech companies, Tencent Cloud is blowing kisses to blockchain, too. On March 18th, it announced a new “supply chain finance smart service platform that combines big data, cloud computing, AI, and of course blockchain.” Emphasis added.
The news itself is hardly worth reporting. But it illustrates a tech company trend: blockchain has taken its place alongside—if not trumping—other tech buzzwords such as Cloud, AI, and the Internet of Things. We’ve seen similar press releases from Alibaba’s Cloud and Ant Financial department. But we almost never see an actual blockchain business unit emerge from these big tech firms.
By contrast, western tech firms such as IBM, EY, Microsoft, Facebook and Deloitte are all exploring unique blockchain offerings that touch both public blockchain and enterprise blockchain. Many of them are engaging large deals that cross many countries and companies.
As China moves forward with its blockchain national anthem, it’s questionable whether its big tech companies are really singing its praises, or just paying lip service to it.
Do you know?
The term 人肉搜索 is translated as “human flesh searches,” and is the equivalent in China of doxing. One of the whistle blowers in the Weibo data breach, Marvin Tong, who was among the first to blog about it, was later retaliated against by the hackers in this way. They published his phone number, ID, and occupation and encouraged other hackers to spam him into oblivion. “It just shows how toxic our culture is,” Tong told me. “If you don’t like someone, you just expose all their privacy under the sun.”