VNG Zing ID 163-million account breach
A 2015 breach of Vietnamese tech giant VNG's Zing platform exposed roughly 163 million Zing ID accounts, with usernames, passwords, emails and phone numbers later found trading on RaidForums.
- Victim
- VNG Corporation (Zing ID)
- records
- 163.7M
- users
- 163.7M
In April 2018, one of the largest data breaches ever recorded in Southeast Asia came to light: roughly 163 million account records from Zing, the platform of Vietnamese internet giant VNG Corporation, were found being traded on the hacking forum RaidForums. The underlying breach actually dated back to 2015, but its true scale only became public three years later.
What happened
In May 2015, attackers compromised the database behind Zing ID β the unified login VNG used across its games and online services. The breach was not publicly disclosed at the time. In April 2018, a RaidForums user advertised a dataset of exactly 163,666,400 Zing ID accounts for sale, a file totalling about 7.55GB.
The leaked records included:
- Usernames and passwords
- Email addresses
- Phone numbers
- Full names and dates of birth
- IP addresses, city and country
VNG's response
In a statement on 29 April 2018, VNG stopped short of fully confirming the breach but acknowledged it had "been informed of a risk involving data leak of more than 160 million Zing IDs" back in 2015. The company sought to downplay the impact, stressing that the affected accounts were largely game accounts β many auto-generated by its games β and arguing that "the scale of the breach was limited" without affecting its other services.
The breach was loaded into Have I Been Pwned, giving the public a way to check exposure and cementing its status as one of the largest credential leaks tied to a single Vietnamese company.
The scale problem
The headline figure of ~163 million exceeds Vietnam's entire population (about 95 million at the time), reflecting that a single user could hold multiple game-generated Zing IDs and that the dataset accumulated over years. Even discounted for duplicates and machine-created accounts, it represented an enormous trove of reusable credentials β fuel for credential-stuffing attacks against other services where users recycled passwords.
Why it matters
The Zing ID breach is a defining case of delayed disclosure: a 2015 compromise that the public only learned about in 2018, and whose data resurfaced again in 2023 inside the so-called "Mother of All Breaches" compilation of 26 billion records. It illustrates how leaked credentials never truly disappear β they recirculate through forums and aggregations for years. The incident became a touchstone in Vietnam's debate over personal-data protection, helping motivate the country's later Personal Data Protection Decree (PDPD) and broader data-security legislation.
Timeline
VNG's Zing platform is breached, exposing roughly 163 million Zing ID account records.
A RaidForums user offers 163,666,400 Zing ID accounts for sale, totalling about 7.55GB of data.
VNG issues a statement acknowledging awareness of a data-leak risk involving more than 160 million Zing IDs.
The breach is loaded into Have I Been Pwned, exposing the scale to the public.
The 2015 Zing dataset resurfaces inside the 'Mother of All Breaches' compilation of 26 billion records.
Sources
- haveibeenpwned.comhttps://haveibeenpwned.com/Breach/VNG
- freezenet.cahttps://www.freezenet.ca/vng-apologizes-data-breach-exposed-163-million-accounts/
- e.vnexpress.nethttps://e.vnexpress.net/news/news/164-million-zing-records-found-in-historic-data-breach-4704981.html
- cyberlands.iohttps://www.cyberlands.io/topsecuritybreachesvietnam