"There is so much news that it explodes. If there is anything, just say it directly." "There is no need to ask the database. Someone has already decided to buy it out"...

  On the evening of June 21, some black and gray producers who reselling Xuetong data continued to release the latest news.

With the news that 172.73 million pieces of student information were leaked, the popularity of the news soared, and buyers and sellers also began to quickly become active.

  At 22:15 that night, a buyer said on the black and gray production platform that the data "has been sold and bought out by the gold owner".

  The Beijing News Shell Finance reporter found that the M78Sec security team was the first to disclose the information leakage of Chaoxing Xuetong.

On June 21, the person who broke the news of the incident and the founder of a security company in Beijing, Mr. Qiu, was interviewed by a Shell Finance reporter and said that he found on a platform a few days ago that the data of the Learning Pass APP was being sold by hackers, so he carefully checked it. After verification by many people, it was found that the individual information leaked in the social engineering database (the database where the hacker archived the leaked user data) is highly consistent with the learning information, "Actually, I am a college student who started a business. Unfortunately, my data is also leaking. In the range."

  In response to this matter, Xuetong responded that day that it does not store user passwords in plain text, and adopts one-way encrypted storage. In theory, user passwords will not be leaked.

Xuetong said that after receiving the news of the suspected leakage of user data, it has been conducting technical investigations for more than ten hours. No clear evidence of user information leakage has been found, and the public security organs have been involved in the investigation.

Black and gray product reselling is hot: some sellers claim to hold student information, and some sellers crack down on counterfeiting

  Superstar Learning Pass is a commonly used learning software for many college students.

The exposed database information was publicly sold, including 172.73 million pieces of information such as name, mobile phone number, gender, school, student number, and email address.

  Kaiyi, who just graduated from college, told Shell Finance reporters that during school, you need to use the Superstar Learning Pass to sign in to class, read courseware, etc., and use the Learning Pass APP as a school requirement, which is related to credits, so many schools are using it, and the frequency of use is also high.

"Every class needs it." According to the screenshot of the Xuetong APP shown to reporters by Kai, she has used it 30,000 times.

  Regarding the suspected leakage of Xuetong data, many college students expressed concern, "There have been harassing calls since yesterday" "Isn't it because of the harassing calls and text messages every day recently?"

  Qiu told the Shell Finance reporter that he found data such as name, phone number, school, student number, gender and other data from a database after he discovered that the Xuetong data was suspected to be leaked.

The reason for this incident is that not only did he discover his basic information in the leaked information, but also his own superstar learning pass information was consistent after comparison.

He believes that "with a high probability, the news is accurate" and that "some elite schools have not been spared."

  A reporter from Shell Finance found that there were screenshots showing that on June 18 or earlier, there were sellers who publicly announced the sale of "17273 pieces of Xuetong data" on the Black Ash Production platform.

  In response to Xuetong’s response that “confirmed that the password has not been leaked”, a reporter from Shell Finance and Economics logged on to the Black Ash Production platform and found that a seller posted a picture on the evening of June 21 suggesting that the encrypted data stored by Xuetong can be deciphered through technology, so even if the password There is no leakage nor does it affect the acquisition of student data by hackers.

  Shell Finance reporters noticed that because this seller took the lead in selling Xuetong information, it attracted many buyers' inquiries.

At 22:15, it said on the black and gray production platform that the data "has been sold and bought out by the gold owner".

  Shell Finance reporter learned that as long as there is enough time and computing power, user passwords can be unlocked.

For example, the mainstream "rainbow table" password deciphering technology can calculate the hash of all possible passwords (the hash value is the process of converting an input string of arbitrary length into a password and making a fixed output.) and save it in the index file , when you need to crack, you only need to query the index file according to the hash to get the plaintext password quickly.

  From June 21 to 22, a reporter from Shell Finance searched the black ash production platform and found that as the Xuetong incident fermented, more and more black ash production buyers and sellers participated in it. After free open query", a buyer found that he was cheated after spending $500 to buy Xuetong data.

In this regard, some sellers even stood up to "fight counterfeiting" and said, "Only their own data is true."

  Qiu told the Shell Finance reporter that the reason why he was able to search for his data in the social engineering database should be that the data had been sold by hackers to the maintainers of the social engineering database.

According to his monitoring, the data of Xuetong has been reduced to 3,000 yuan from the initial price of about 1,300 US dollars after several rounds of reselling, and "should have been changed hands several times."

  Classmate Qiu said that it was not his intention to detonate public opinion about the incident. The speed of the incident fermented beyond his expectations, which also showed that everyone was paying more and more attention to the leakage of personal privacy.

"I think this incident has sounded a wake-up call for schools and platforms. Core confidential data should not be stored in the hands of commercial companies, and network security must be effectively implemented."

Illegal collection of personal information, Xuetong was required by the Ministry of Industry and Information Technology to rectify last year

  A reporter from Shell Finance downloaded the Xuetong APP and saw that its score in the Apple ios store was only 1.4 points.

In the latest comments, many users pointed out "invasion of privacy", but more users complained that the APP was inconvenient to use, including "I was forced to hand in the exam during the exam, and I always told me to cut the screen".

  Shell Finance experienced its use process and saw that the mobile phone number is required for personal registration on the Learning Pass APP, and the unit user needs to provide their personal name and login account (student number/work number) on this basis for unit management and statistics.

When users use the functions such as check-in, image upload, and Chaoxing Classroom in Xuetong, they may need to enable access permissions such as location information, camera, photo album, and microphone.

  It is worth mentioning that as early as January 2021, Xuetong APP (version: 4.8.1) was notified by the Ministry of Industry and Information Technology for collecting personal information in violation of regulations, and asked it to rectify.

In July of the same year, Xuetong (version: 4.8.5) was notified again because the Ministry of Industry and Information Technology found that it still involved illegal use of personal information and did not complete the rectification.

  On June 22, a Shell Finance reporter logged on to the national information security vulnerability sharing platform and found that Chaoxing Learning Pass had been exposed to XSS vulnerabilities, information disclosure vulnerabilities and logic flaws between 2020 and 2021.

Among them, the information leakage vulnerability is mainly "the Chaoxing Learning Pass App has information leakage vulnerability, and attackers can use this vulnerability to obtain sensitive information".

In addition, the logic defect vulnerability is "There is a logic defect vulnerability in the Chaoxing Learning Pass application system platform, and attackers can use the vulnerability to cause any user account to log in and leak user information."

  According to the records of the National Information Security Vulnerability Sharing Platform, Chaoxing Learningtong has updated the patch after the vulnerability was announced.

There are internal and external reasons for data leakage, and it is imminent to prevent data "streaking"

  A reporter from Shell Finance found that although it is impossible to confirm whether the “learning pass data” advertised by the sellers of black and gray products is true, there is already a lot of personal information of students that may be leaked on the platform, and they have been handed over several times.

The reporter noticed that in the black and gray production platform, student data is classified and sold by undergraduates, masters, doctors, graduates, etc.

The reporter then browsed the sample information provided by several sellers and found that some even included the internship experience of college students and the parent information of primary and secondary school students.

  Qi Anxin data security expert and deputy general manager of the data security subsidiary Yao Lei told Shell Finance reporters that from the past data leakage incidents, usually the cause of enterprise data leakage may be external or internal. There is also both.

The attacker may use the target system vulnerability or the stolen privileged account to obtain the permissions of the corresponding database administrator, thereby completing the dragging behavior.

"Such incidents have also occurred before. For example, the LinkedIn data breach was confirmed to be caused by hackers exploiting its API vulnerabilities. Therefore, enterprises should strengthen data security protection, avoid using a large number of weak passwords, and discover security risks in a timely manner. deal with."

  Yao Lei said that the internal reasons should also be divided into two situations: the first one may be the accidental leakage of data caused by the improper operation of the operation and maintenance personnel; the second one is that there are secrets, if the internal authority control is lacking or behavior auditing There are flaws, internal employees (such as database administrators) can use their own system permissions to download the data in the database in batches, and then resell them.

From this point of view, enterprises should adopt technical means to strengthen the authority management and behavior audit of their own internal employees, and strictly control certain unauthorized or high-risk operations.

  After Chaoxing Xuetong was exposed that there may be information leakage, many student users publicly posted on social platforms to question the "number of uses" of Xuetong.

The netizen "Who Am I Little Monster" said that he only used Xuetong when he went to the library and needed an appointment, but it showed 4,926 uses.

The netizen, "Milk tea instead of full sugar and light sugar" said that he has used the Learning Pass 60,000 times.

  In response, Xuetong responded that the usage is not "the number of times of using Xuetong", but the number of page requests sent to the server when users use Xuetong, which is similar to the pv value (pageview) of Internet requests. There are dozens of learners. The usage of Wanxuetong is a normal phenomenon, not a manifestation of account leakage.

  Qiu told the Shell Finance reporter that there should be no necessary connection between the number of uses of Xuetong and information leakage. "This incident is most likely caused by hacking."

  He said that he has participated in a large number of offensive and defensive drills and found that major domestic universities still need to implement network security construction.

"The construction of specific measures and the formulation of industry standards require the joint efforts of people of insight. The national network security construction requires long-term joint efforts of all parties to fight for a better and safer Internet."

  Kong Deliang, vice president of Qi Anxin Group and head of innovation BG, said that in recent years, the information leakage incidents exposed by the media have once again shown that the data of many enterprises and institutions are in a "streaking" state, which is the current primary issue of data security. It is imminent to "run streaking" and make up for shortcomings, and more than 85% of customers need to start from this.

  Beijing News Shell Finance reporter Luo Yidan