Personal data from 30 million users of China’s top dating app Momo is reportedly being sold for as little as RMB 200 (around $30).
Weibo user lxghost posted a series of screenshots from the Chinese dark web entitled “database of 30 million Momo users” today (December 3), with a comment saying: “Momo’s database is quite cheap.”
TechNode was unable to verify the claims made by the Weibo user.
According to the screenshots, data on offer includes phone numbers and passwords. Peddlers claim that the data was obtained on July 17, 2015. They said the data was stolen through a method known as credential stuffing, where stolen account credentials, usually usernames and passwords, are used to gain unauthorized access to user accounts. This is achieved through malicious login requests directed against another platform.
In a statement, Momo said the matching rate for data is “quite low.” Even if the phone number and the password in the package do match, it’s impossible for others to log in with the leaked data because any such attempt on a different device would trigger a verification message via text, the company told TechNode.
Cybersecurity experts told the Southern Metropolis Daily that users who use identical accounts and passwords for every platform are highly vulnerable to such attacks.
The fact that the data is from three years ago may be the reason it’s so cheap. At the same time, the peddler has added a disclaimer, saying that they can’t guarantee the validity of the data and they will not support a refund once the information is sold. The photos show the data package has been purchased three times.
It’s no secret that personal information leaks are rampant in China, with the details of millions of citizens being stolen, shared, and sold online. In August this year, a data leak at Huazhu Hotels Group was thought to affect 130 million customers in what was believed to be the largest data breach in China in five years.
Additionally, a recent report by the China Consumer Association (CCA) found that 85.2% of app users in China have experienced data leaks. The same organization found that Meitu, along with nearly 100 other apps, had violated user privacy by “excessively collecting recognizable bio data.”
Update: Included a response from Momo detailing its security measures.