Sina Weibo data leak
Personal data on 538 million Sina Weibo accounts — including the phone numbers of 172 million users — was offered for sale on the dark web for about $250, in a leak Weibo attributed to address-book matching abuse dating back to 2018. China's industry ministry summoned the company over its handling of personal data.
- Victim
- Sina Weibo
- records
- 538.0M
- users
- 538.0M
On 19 March 2020, a dark-web vendor advertised a database of 538 million Sina Weibo accounts — China's largest microblogging platform — for the equivalent of about $250. The headline figure: 172 million of those records contained users' phone numbers, making the cache valuable for spam, smishing and identity fraud.
What happened
The data was reportedly compiled in 2018 when attackers abused a contact-import / address-book matching feature. By uploading large lists of phone numbers, an attacker could have the platform return the matching Weibo profile, gradually building a mapping of phone numbers to real accounts. This is a data-scraping and enrichment technique rather than a server intrusion — Weibo's databases were not breached in the classic sense.
The seller listed fields including Weibo user IDs, account names, real names, gender, geographic location and the linked phone numbers. Notably, the dump did not include passwords, which limited the risk of direct account takeover but did little to reduce the privacy harm of exposing hundreds of millions of phone numbers.
Impact
- 538 million accounts exposed in total.
- 172 million phone numbers linked to identifiable profiles.
- The low asking price (~$250) meant the data could spread widely and cheaply to spammers and fraudsters.
Weibo's then chief security officer publicly acknowledged the leak on Chinese social media, attributing it to the 2018 contact-matching abuse and stressing that no passwords or financial information were involved. Critics noted that phone numbers in China are tightly bound to real identities through mandatory real-name registration, making the exposure especially sensitive.
Response
On 23 March 2020, China's Ministry of Industry and Information Technology (MIIT) summoned Weibo, criticised its handling of personal data and ordered remediation of its data-protection practices — one of the more visible early enforcement actions ahead of the country's later Personal Information Protection Law.
Why it matters
The Weibo leak is a textbook case of abuse of legitimate platform features — contact matching — to harvest data at population scale, without ever "hacking" the back-end. It foreshadowed a wave of similar phone-number enumeration leaks at large social networks worldwide and pushed Chinese regulators toward tighter rules on how platforms expose user-lookup functionality and protect the real-name phone data they are legally required to collect.
Timeline
According to Weibo, attackers abuse a contact-matching feature to associate phone numbers with account profiles; the underlying data is gathered at this time.
Data on 538 million Weibo accounts, including 172 million phone numbers, is advertised for sale on a dark web forum for roughly $250.
Security researchers and media report on the listing; Weibo confirms a leak but denies passwords or sensitive financial data were exposed.
China's Ministry of Industry and Information Technology (MIIT) summons Weibo and orders it to rectify its data-protection practices.
Sources
- securityaffairs.comhttps://securityaffairs.com/100243/data-breach/weibo-data-dark-web.html
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/data-of-538-million-weibo-users-is-available-on-the-dark-web-for-only-250/
- yicaiglobal.comhttps://www.yicaiglobal.com/news/china-it-ministry-takes-sina-weibo-to-task-over-538-million-user-data-leak
- business-humanrights.orghttps://www.business-humanrights.org/en/latest-news/china-weibo-admits-to-leak-of-personal-data-on-millions-of-users/