Details of the incident outside the password disclosure door

20111February, the user databases of many websites such as CSDN, duowan, Jiayuan and catwalk were exposed on the internet. Because some passwords are displayed in plain text, a large number of netizens are threatened by privacy leakage. CSDN, which was the first involved in this incident, has reported the case, but there are many rumors on the Internet around the question of "who stole and exposed these databases".

Netizens revealed that CSDN's user database was hacked and more than 6 million user data were leaked. CSDN officials later confirmed this, saying that this database was used by CSDN as a backup in 2009, and the reason for the leak has not been ascertained. CSDN then issued a public apology letter to users, saying that it had reported the case to the public security organ, and all the account password databases of the existing 20 million registered users had been ciphertext protected and backed up.

At present, the earliest discoverer of this incident comes from Wuyun's safety feedback platform 12 on the afternoon of June 29th. After the user data of CSDN and Tianya community were leaked, the Internet industry fell into panic. In the field of e-commerce, where user data is the most important, there have also been loopholes and news leaked by users. Wuyun, a vulnerability reporting platform, released a vulnerability report yesterday, saying that a large number of Alipay users leaked it and used it for online marketing, with a total of 6,544 leaks. Companies involved include JD.COM (Weibo) Mall, Alipay (Weibo) and Dangdang (Weibo). Among them, JD.COM and Alipay denied information leakage, while Dangdang said it had reported the case to the local police. We are very sorry that the CSDN user database has been leaked, and your user password may be made public. If you use the same password on other websites, we sincerely ask you to change the password related to CSDN. Please be sure to change the passwords of related websites at the same time.

CSDN has officially reported the case to the public security organ, and the public security organ is also investigating relevant clues.

Once again, I apologize deeply!

Statement on the disclosure of user accounts on CSDN website: (part)

In the early days, CSDN website used plaintext password, which was brought by integration verification with third-party chat programs, but later programmers never dealt with it. Until April 2009, the programmer at that time modified the password storage method and changed it to an encrypted password.

However, some old plaintext passwords have not been cleared. At the end of August, 2065438+00, all passwords in the account database were cleared. On 20 1 1 New Year's Day, we upgraded the account management function of CSDN, and used strong encryption algorithm to solve various security problems of CSDN account.

It was plaintext before April 2009, and it was encrypted after April 2009, but some plaintext passwords were not cleared; At the end of August 20 10, all plaintext passwords were cleared. Therefore, from September of 20 10, everything is safe, and it may not be safe before September.

The leaked CSDN clear account data was before September 20 10, and most of them were before April 2009. Therefore, it can be judged that the leakage time was before September 20 10. The cause of the leak is under investigation.

counter-measure

1. For users registered before September 20 10, we will prompt them to change their passwords, and also prompt them to change the same passwords on other websites as soon as possible.

2. We will prompt all users with weak passwords to change their passwords and prompt them to change the same passwords on other websites as soon as possible.

3. We will send an email to all registered users before September 20 10 to remind them to change their passwords, and remind them to change the same passwords of other websites as soon as possible.

4. We will temporarily close the login of CSDN users and verify the leaked account database on the network. All leaked accounts with unchanged passwords will be reset.

Renren. com Com official Weibo announcement

According to the official statement of CSDN website, a large number of user names and passwords of CSDN were exposed! If the password of your Renren account is the same as that of CSDN or other websites, it is recommended that you modify the password immediately to prevent the account from being stolen. In response to this incident, Jiang Tao reflected on 20 12 65438+ 10/month1. He said that at present, there are two situations in domestic Internet companies, one is to attach importance to business, and the other is to lack security awareness and insufficient understanding of data security and system security. "Internet data was leaked on a large scale. This problem has existed for a long time. For a long time, the whole information system in China has problems. This is a problem for all Internet companies. " He said, "The scanning results of websites by third-party data security audit companies show that more than 80% of Internet companies have loopholes, and more than 60% of companies with security policies still have loopholes. This is the status quo of our Internet. "

"80% of the password base can be cracked"

Jiang Tao said: "From the data analysis results, nearly 80% of the password base on the server can be cracked. Even after the information was leaked, only 30% of users changed their passwords, so domestic Internet companies should pay more attention to the construction of the security system. " To this end, CSDN announced yesterday that it will cooperate with Alibaba Cloud to launch a developer service platform, which will rely on Alibaba Cloud's security infrastructure.

Event fermentation

After CSDN admitted that about 6 million users' passwords were leaked, the next day, many well-known websites including Tianya, Jiayuan, zhenai, Meikong.com and Lily.com also had similar problems. It is reported that, like the information leaked by CSDN before, all the leaked user passwords of Tianya are kept in plain text, but on a larger scale, about 40 million user passwords have been leaked.

Tianya community said in the letter of apology that due to historical reasons, Tianya community used plaintext passwords in the early days. In June 2009, 1 1, the password storage mode was changed to encrypted password, but some old plaintext passwords were not cleaned up. The user who was leaked by hackers this time was a registered user before upgrading the password storage method in June 2009. However, Tianya did not confirm the size of users whose passwords were leaked in the announcement.

Has been reported

Tianya Community said that Tianya.com upgraded the user account management function of Tianya Community on May 2, 201/,and used strong encryption algorithm to solve various security problems of Tianya Community user accounts.

"After learning that the user's privacy was leaked by hackers, Tianya.com has launched an emergency plan to inform users to change their personal passwords as soon as possible through all effective contact methods such as SMS and email in the station, and has also reported the case to the public security organ." Tianya Community said that users can call Tianya Community's 24-hour customer service phone, and the customer service staff will verify and retrieve the password. (Reporter Lin Qiling)

counter-measure

1. Use the password retrieval function to retrieve the password by registering email, authenticating mobile phone or appealing.

2. Call Tianya 7×24 hours customer service phone, and the customer service staff will retrieve the password after verification. (According to Tianya's public statement)

According to industry insiders, these data will be sold at a high price in the hacker circle after being stolen, which is not known to ordinary users. Renren. com Com, Netease mailbox, Jinshan, etc. The user has been asked to change the password urgently. After the user information of dozens of well-known websites such as Renren.com, Duowan.com and Tianya Community were leaked, the user information of 17 173 and JD.COM Mall were also leaked. The leaked user information data rose from 50 million to more than 1 100 million, and a large number of user accounts and passwords were made public. Netizens have said that the password has been softened.