The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media.
In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company's user database.
The database allegedly contains the details for 538 million Weibo users. Personal details include the likes of real names, site usernames, gender, location, and -- for 172 million users -- phone numbers.
Passwords were not included, which explains why the hacker is selling the Weibo data for only ¥1,799 ($250).
A Weibo spokesperson did not return a request for comment from ZDNet before this article publication, but the company provided statements to Chinese media on the matter.
However, Weibo's response has been confusing.
In a statement sent to Chinese site 36kr and many others, the company claims the phone numbers were obtained at the end of 2018 when its engineers observed a series of user accounts uploading large batches of contacts in an attempt to match accounts with their respective phone numbers. In a separate statement posted on its own Weibo profile, the company said it doesn't store passwords in plaintext and that users should have nothing to worry about.
However, several Chinese security experts were quick to point out technical irregularities with the company's response. First, the hacker's ad contained indicators that the data came from an SQL database dump, which did not match the company's explanation that the data was obtained by matching contacts against its API.
Second, the company's statement also doesn't explain how the hacker obtained other details like gender and location, information that is not public, nor returned by the API when matching contacts.
Speculation has been rampant on Chinese social media about where the data originated and how the attacker got their hands on it. The theory of a password spray or credential stuffing attack was quickly dismissed when security researchers realized the attacker wasn't selling passwords.
The hacker, which in some ads went by the name of "@weibo," also provided samples of the data, which Weibo users confirmed to be accurate.
Weibo said it notified authorities about the incident and that police is investigating.
Due to its near totalitarian control over the internet, Chinese police have been able to track most local hackers with relative ease. In the summer of 2018, another hacker put up for sale the details of millions of hotel guests that stayed at properties from the Huazhu Hotels Group. Chinese police arrested the hacker three weeks later, despite the data being sold on the dark web.