The data of tens of millions of JD.com users are suspected to have been leaked. Human greed has given rise to the "data black industry".

[[188856]]

Recently, a heavy "bomb" appeared on the black market. A 12G data packet began to circulate, which included multiple dimensions such as user names, passwords, email addresses, QQ numbers, phone numbers, ID cards, etc., with data reaching tens of millions.

Both buyers and sellers on the black market said, "These data come from JD.com." BOE said it is urgently verifying the authenticity of the data.

01. Data Mystery

Recently, because of this 12G data packet, the black market was stirred up again.

Some underground channels began to trade data at a fixed price, with prices ranging from "100,000 to 700,000".

Screenshot of some of the leaked data

The data is divided into several dimensions: name, password, email, QQ, ID card, phone number, etc.

According to industry insiders, the data has been sold many times and "at least hundreds of black market operators have the data."

"The data was leaked quite a long time ago, and the reason why it is circulated again now is unclear," an industry insider revealed, adding that it is difficult to confirm whether it was an "insider" or "hacker theft" for the time being.

Industry insiders said that after most data leaks, hackers will first clean the database, log into the account to clean out the valuable content, such as logging into the game account and transferring virtual currency. Generally, this cleaning process takes several months or even longer.

The data will only be sold after the second “database cleaning”. “After the data’s value has been fully extracted, it will be divided among people in the market.”

It is worth noting that the user passwords of these data have been encrypted with MD5, and professional cracking software is required to obtain the original passwords.

Industry insiders said that it usually takes a certain amount of time to crack MD5, but some passwords have been decrypted by others in the database and can be cracked instantly, such as 123456; if it is a new password, it will take longer to crack.

Generally, only 3-5% of accounts can be cracked instantly.

The reporter tried to log in using some user names and cracked passwords, and indeed most of them could log in to JD accounts.

Yao Xin's password can be cracked instantly (how important it is to design a complex password)

After logging in, users' orders, addresses, transactions and other information on JD.com are all available. Even a financial reporter searched for his own name in the database and found that his information had already been leaked.

"Hackers can also use this data to perform database collision operations," said an industry insider. The so-called "database collision" is a professional term for the black industry, which means that hackers will use leaked usernames and passwords to try to log in to other websites in batches and obtain data.

This is a flaw in password design by humans. In order to remember them, most people use the same username and password, resulting in a very high success rate of database collisions.

The highest and most direct damage is to crash into some financial accounts and directly transfer funds away.

On December 9, Yiben Finance verified the relevant situation with JD.com. As of press time, JD.com’s latest response said that it is currently looking for the technical department to verify urgently, and it is currently unable to confirm the authenticity of the data.

02. This is not an isolated case

In fact, this is not the first time that JD.com has been exposed for data leaks.

In 2015, JD.com was exposed for leaking a large amount of user privacy information, and many users were defrauded of money, with a total loss of millions. It was not until a year later that JD.com announced the results of the investigation, saying that it was due to an "insider".

The so-called "insiders" were three logistics personnel who, through the logistics process, obtained information such as user name, phone number, address, time of order, purchased goods, etc., with a total of 9,313 pieces of data.

E-commerce platforms have always been one of the hardest hit areas for data leaks.

At the beginning of 2014, Alipay was exposed to a 20GB user data leak. After investigation, it was found that the leak was an "internal crime": Li Ming, a former technical employee of Alipay, took advantage of his position to download user data from the company's backend many times. The 20GB of data included the user's real name, mobile phone, email address, home address, consumption records, etc., which was quite accurate.

Li Ming and his two accomplices sold user information by the number of pieces at different prices. The more valuable ones could be sold for dozens of yuan each; some people also bought 30,000 pieces of user information for 500 yuan.

The more interesting part of this story is that the buyers of this data are all "friendly competitors", such as other e-commerce platforms.

In addition to Alipay, as early as 2012, No.1 Store was exposed for collusion between online mall employees and former and external personnel, resulting in the leakage of 900,000 user data for only 500 yuan.

It can be seen that "insiders" are an important reason for e-commerce information leakage. In addition, it is also a common phenomenon that e-commerce platforms are vulnerable to hackers and data is stolen due to their own technical loopholes.

The year 2014 was the year when security risks on e-commerce platforms erupted in a concentrated manner.

In March, the account balances of 113 Dangdang.com users were stolen.

The hacker first steals the user's login information, then modifies the user's bound mobile phone, email address and other information, and finally purchases valuable goods such as electronic products.

Under heavy pressure from public opinion, Dangdang.com announced that it would compensate its users.

In the same month, the Wuyun vulnerability platform exposed a technical vulnerability in Ctrip's system, which could lead to the leakage of important information such as user's personal name, ID number, bank card type, bank card number and the 6-digit Bin code used by the bank card for payment.

Ctrip subsequently issued a statement saying that it had confirmed that there were security risks in the accounts of 93 people and had notified the relevant users to change their credit cards.

At the end of the year, six sub-websites of China Railway Ticket Purchase Website 12306 had high-risk vulnerabilities, which led to the leakage of hundreds of thousands of user data, including user accounts, plain text passwords, ID cards, email addresses and other sensitive information. 12306 announced a reward and called on netizens to find the vulnerability.

Whether it is an insider or a hacker attack, it is all driven by profit.

03. Data pain

A huge underground data industry chain has already been formed.

The leaked information of netizens is mainly divided into two categories: personal information including name, ID number, mobile phone number, home address, work unit, email account and password, online shopping information, car and house purchase information, medical information and other types of information;

Online activity information includes call records, online shopping records, website browsing traces, IP addresses, software usage traces and geographic locations, etc., covering a very wide range.

The underground database can already understand a person from more than 200 dimensions - even better than you know yourself. These leaked data eventually become tools for criminals to make profits in various ways.

This year, the People's Daily published an article stating that 78.2% of netizens' personal identity information had been leaked, 63.4% of netizens' personal online activity information had been leaked; and 82.3% of netizens had personally felt the impact of the leakage of personal information on their daily lives.

The hand of the black industry has extended to the lives of ordinary people to the point where it is within their reach.

In 2015 alone, Chinese netizens suffered losses of 80.5 billion RMB due to information leaks - and this is only the publicly available data.

In fact, due to the rise of big data, each company has a strong demand for data, which has accelerated the circulation of black market data.

A financial magazine once investigated the black industry chain in "Credit Reporting Chaos", and found that there were tens of thousands of middlemen engaged in data trading. Each transfer of data was worth tens of thousands to millions of yuan. The underground black market may have already formed a trillion-level market.

The privacy and information of users have become commodities for sale, flowing recklessly on the black market. The pain of data has been felt by everyone.

However, this problem cannot be solved by simply doing a good job of security. In addition to technology, we must also guard against human greed.