Xuetong responds to 170 million suspected data leakage

Photo of author

By admin

Recently, “Xuetong Database Suspected Information Leakage” appeared on Weibo’s hot search. According to the network security public account “M78 Security Team” on June 20 (now deleted), the database information of the university learning software “Learning Pass” is suspected to have been leaked on a large scale, including name, mobile phone number, gender, school, student number, email, etc. The number of messages is suspected to be 172.73 million.

In response, Xuetong responded on Weibo on the 21st that it does not store the user’s plaintext password, and theoretically the user’s password will not be leaked. Xuetong also said that after receiving the news of the suspected leakage of user data, it has continuously conducted technical investigations for more than ten hours. No clear evidence of user information leakage has been found, and the public security organs have been involved in the investigation.

In response to Xuetong’s response, some experts told Nandu Privacy Guard that as long as there are loopholes in the system, hackers may imitate the user’s login process and steal database information without a password. And if the strength of the database encryption is not enough, as long as there is enough time and computing power, it can also be unlocked. Thus, doing great in data backup and disaster recovery is becoming more important.

According to public information, Xuetong is an educational software under Beijing Century Chaoxing Information Technology Development Co., Ltd. It has a very high penetration rate in colleges and universities. Its functions include online course punch-in, examination invigilation, etc. In the Apple App Store, the Xuetong App currently has 120,000 ratings, with an average rating of 1.4 (out of 5). In the low score evaluation, many users expressed their dissatisfaction with the privacy collection and user experience.

On June 20, the “M78 Security Team” issued a document saying that it found that the Xuetong database was being sold by hackers through illegal channels, covering names, mobile phone numbers, student IDs, job IDs, gender, email addresses, passwords of some users, etc. 7,273 items, the first disclosure of information leakage in the Xuetong database

The author verified and found that the social work library robot in a well-known software can already query relevant information, and the query information covers key information such as student number, name, gender, school, mobile phone number, etc., which is consistent with his own learning information. “So with a high probability, the news is accurate.”

According to the screenshots from the Internet, Nandu Privacy Guard entered the platform of the seller who sold Xuetong user data. The seller claimed to “sell a data for a friend”, including the school/organization name, name, mobile number, student number/worker in Xuetong. Number, gender, email, a total of 172.73 million entries, including 10.76 million passwords.

On the afternoon of the 21st, Xuetong responded publicly on the official blog, saying that the company received feedback on “suspected Xuetong APP user data leakage” on the evening of the 20th, and immediately organized a technical investigation. Evidence of user information leakage. In view of the seriousness of the matter, the company has reported the case to the public security organs, and the public security organs have been involved in the investigation.

Xuetong also emphasized that online rumors that the password was leaked were untrue. Because it does not store the user’s plaintext password, it adopts one-way encrypted storage. Under this technical means, even the company’s internal employees (including programmers) cannot obtain the password in plaintext. “Theoretically, the user’s password will not be leaked.”

Although Xuetong has not confirmed the discovery of user data leakage, as of now, a number of Xuetong users have posted the Xuetong page after logging in on the Internet, and some show that the number of times of use is as high as 100,000. Some netizens said that they had received a lot of harassing calls recently, and they suspected that it was related to the data leakage of Xuetong.

In this regard, Xuetong explained that the usage of Xuetong is not “the number of times of using Xuetong”, but the number of page requests sent to the server when users use Xuetong. If the user is studying normally, there will be hundreds to thousands of usage per day. quantity. Therefore, there are hundreds of thousands of usage “a normal phenomenon, not a manifestation of account leakage.” However, the number of users who read 0 minutes has also reached tens of thousands.

Regarding Xuetong’s response to the data breach, Peng Gen, general manager of Beijing Hanhua Feitian Xin’an Technology Co., Ltd., said that there is no necessary connection between keeping passwords and data leakage. “As long as there are loopholes in the system, it is possible for hackers to imitate the user login process and steal information from the database without the need for a password.”

As for the password storage method, Peng Gen believes that there is no such thing as the so-called “one-way encrypted storage”, and he guesses that it may refer to an irreversible method. But he emphasized that if the password strength is not enough, as long as there is enough time and computing power, it can also be unlocked.

Nandu Privacy Guard has learned from a number of college students that many colleges and universities are still using “learning pass”, and some colleges and universities have issued notices to students to change their passwords. There are also many netizens who said that they have canceled the Xuetong account.

A student at Chang’an University told Nandu Privacy Guard that she had used the same password on many platforms and “felt panicked” after seeing the news. She hopes that “Xuetong” will first dispel the public’s doubts, respond as soon as possible, and inform the public of the extent of the leak, the worst impact, and how to quickly solve the problem.

Xiong Dingzhong, chief partner of Qinglu Law Firm, said that since Xuetong has reported the case, the first thing to do is to wait for the results of the investigation by the public security organs. If a data breach does occur, it depends on whether the platform is at fault. If the platform has already followed the legal requirements to achieve the corresponding security level measures according to the type of user sensitive information it holds, “it may not have much responsibility at all, which is equivalent to saying that they are also victims.”

He also mentioned that individuals have the right to report to the Ministry of Industry and Information Technology or the Cyberspace Administration of China if they receive a large number of harassing calls or receive a large amount of illegal information. “But the public security organs have direct jurisdiction over such a large-scale database leak, so for ordinary users, they can just wait for the police report.”

Nandu Privacy Guard inquired about the national information security vulnerability sharing platform and found that in March 2020, the Xuetong App was found to have an XSS vulnerability (cross-site scripting attack, which means that website vulnerabilities can be used to maliciously steal information from users); It was found that there is an information leakage vulnerability, and the hazard level is “medium”. In September and November 2021, Xuetong updated two patches.

In addition, Xiong Dingzhong also pointed out that data leakage and system breach are two situations. The latter means that hackers may access user records in large numbers and frequently, and use running apps to further steal users’ personal information, “which will be more serious than just the leakage of the database.”

In a word, businesses and people must both understand how to secure their data. Businesses must be accountable to their consumers, while individuals must be accountable for their own data security. With the advancement of technology, we now have various options for data protection. Data backup and disaster recovery, for example. Virtual machine backup is a novel backup technology that is secure and dependable and may freely backup data in multiple situations. VMware backup, Hyper-V backup, Xenserver backup, and other popular virtual machine backups are available.