130K users' data leaked via China's train ticketing site

Data including usernames, passwords, and e-mail addresses belonging to customers of China's official online train ticketing site, 12306.cn, have been leaked, according to an IT security vendor.

Personal data of more than 130,000 customers who purchased train tickets on China's official online railway ticketing site have been leaked, causing panic among users concerned about identify theft.

According to local news reports, data such as usernames, e-mail address, passwords, and phone numbers had been leaked from the ticketing website, 12306.cn, which is operated by China Railway. The incident was uncovered by IT security vendor Woo Yun on Thursday, and was later confirmed by 12306.cn.

Real-name registration must be provided to purchase tickets via the official website.

China Railway, however, said the data leak was not caused by its website and had originated from other online sites. "All the leaked information contains plain text, while the information in our website's database is completely encrypted, which means the data leaked via other websites or channels," it said in a statement.

It suggested that the leak could have been the result of third-party plugins, apps, or websites used by consumers to purchase train tickets.

With Chinese New Year coming up in February, tens of thousands across China will make their way back home for the annual celebration and an increasing number are turning to the internet to purchase their train tickets. The mad rush for seats has led to the emergence of various online apps and plugins touted to allow passengers to jump ahead of others and secure their train tickets.

China Railway had pointed to these third-party apps as the cause of this week's data leak. The police are investigating the incident.