Cyber Incident Victim: TOM Online
Date:
Oct 2015
Location:
China
Summary
A hacker known as DoubleFlag compromised Tom.com, stealing 8,258,839 user accounts and listing them for sale on the dark web alongside data from multiple Chinese internet firms including NetEase, Tencent, Sina, and Sohu. The collective breach, dubbed "The Big Asian Leak," involved billions of accounts from email providers and web portals, with additional compromised credentials from international services like Yahoo, Gmail, and Hotmail. The dataset was offered for approximately $800 in Bitcoin, though no confirmed breaches were acknowledged by the affected companies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2017, a dark web actor using the alias "DoubleFlag" advertised a massive data sale dubbed "The Big Asian Leak," compromising over 1 billion user accounts from multiple Chinese and South Korean internet companies. The listing explicitly named TOM Group’s Tom.com alongside NetEase subsidiaries (126.com, 163.com, Yeah.net), Tencent’s QQ.com, Sina Corporation’s Sina.com, Sohu’s Sohu.com, Letter Network’s eYou.com, and SK Communications’ Nate.com. DoubleFlag claimed to possess 8,258,839 user accounts from Tom.com, described as a mobile internet company operating a popular Chinese-language portal and offering wireless internet and online advertising services. The hacker additionally listed stolen credentials from global email providers, including 23,590,165 accounts from Yahoo’s Asian domains (co.jp, com.cn, com.tw), 17,928,531 Hotmail accounts, 3,371,754 Gmail accounts, 1,098,274 MSN accounts, and 407,423 Live accounts. The entire dataset was priced at BTC 0.8873 (approximately $800 USD at the time), with no verified evidence of corporate breach acknowledgments beyond Experian’s unrelated denial regarding their systems.
The incident exposed authentication credentials for Tom.com users alongside those of other major platforms, creating widespread credential-stuffing risks given password reuse across services. TOM Online’s compromised accounts formed part of a broader pattern targeting Chinese internet infrastructure, with NetEase subsidiaries suffering the largest exposure (over 1.2 billion combined accounts from 163.com, 126.com, and Yeah.net). Tencent’s QQ.com followed with 126,936,489 standard and 2,759,960 VIP accounts, while Sina.com and Sohu.com accounted for 31,037,726 and 23,198,610 accounts respectively. Smaller breaches included eYou.com (1,516,976 accounts) and Nate.com (574,258 South Korean accounts). The consolidated sale of credentials across multiple providers amplified cross-platform attack potential, though the article did not specify whether Tom.com or other victims confirmed the breach’s legitimacy, disclosed detection methods, or initiated containment procedures. Public reporting emphasized the dark web listing’s accessibility and scale, framing it as a regional cybersecurity event with multinational implications due to the inclusion of global email services.