Back in December 2011, reports were circulating regarding a data breach at one of the big Chinese social networking sites, Tianya.cn that suggested the login credentials of some 40 million users were potentially exposed. Clear text usernames and password combinations were stolen by hackers during the breach, although a Tianya spokesperson at the time said that only those users who registered before November 2009 would have had clear text logins as after that the service had implemented encryption (!) - quite why the existing membership data could not have been encrypted at this point is, frankly, beyond me. Word on the webvine at the time was that unencrypted data was not secured or deleted when the servers and systems were upgraded, and the Tianya administrators had to shoulder that failure. While the 40 million figure bandied around at the time seemed huge, later reporting suggested it wasn't that bad; 'only' 4 million users ended up having their usernames and passwords published online by the hackers for everyone to see.

Fast forward to now, and the Tianya story just keeps on giving. Steve Thomas, the co-founder of PwnedList, was interviewed recently and reckons that his outfit has managed "to find over 28 million credentials, including plaintext passwords" from that breach in 2011. The data was, according to Thomas, provided by a Chinese hacker who pointed PwnedList at a 'leak share' site including the Tianya dataset.

If you are concerned that your logins may have been compromised, you can run a quick (and free) check for mentions of your email address in the PwnedList database here. Thomas has promised a new feature coming soon that will enable searching of the breach database by username and Twitter nickname as well as email, and a new database of phishing attack victims for good measure.

53f870720379eaab937932f96225bd15

260 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
Member 949455

Fast forward to now, and the Tianya story just keeps on giving. Steve Thomas, the co-founder of PwnedList, was interviewed recently and reckons that his outfit has managed "to find over 28 million credentials, including plaintext passwords" from that breach in 2011. The data was, according to Thomas, provided by a Chinese hacker who pointed PwnedList at a 'leak share' site including the Tianya dataset.

I hardly ever hear this company at all til now. That is very serious that is alot of members info being post like that. If Tianya is not going to fixed that issue soon then most likely Big Brother have to step in and punish Tianya and of course find the hacker which Big Brother can do because they have the power to do that.

I am not so sure about the legitimacy of the email lookup @ pwndlist.

After typing:

a@a.a
b@b.b
c@c.c

All of the address returned N occurrences since July, 2011
All of the address had been compromised 4 months ago.