Cyber Incident Victim: NetEase Inc
Date:
Oct 2015
Location:
China
Summary
A hacker offered stolen user accounts from multiple Chinese internet companies for sale on the dark web, including NetEase Inc. and its subsidiaries 126.com, 163.com, Yeah.net, and vip.163.com. The compromised data encompassed over a billion accounts across the company's services, with specific listings detailing 143 million from 126.com, over a billion combined from 163.com and 163.net, and smaller volumes from premium domains. This incident formed part of a broader leak dubbed "The Big Asian Leak," which also affected other major regional providers and international email services, with the entire dataset priced at approximately $800 in Bitcoin.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2017, a dark web actor using the alias "DoubleFlag" advertised a massive data breach dubbed "The Big Asian Leak," involving over one billion user accounts stolen from multiple Chinese internet companies. The listing explicitly named NetEase Inc. and its subsidiaries—126.com, 163.com, 163.net, vip.163.com, and Yeah.net—as primary targets, with 126.com contributing 143,725,840 compromised accounts, 163.com and 163.net collectively exposing 1,074,795,268 accounts, and Yeah.net losing 3,281,420 accounts. Additional NetEase-affiliated domains like vip.163.com suffered smaller breaches of 91,239 accounts. The attacker bundled this data with stolen credentials from other major firms, including Tencent’s QQ.com (126,936,489 accounts), Sina.com (31,037,726 accounts), Sohu.com (23,198,610 accounts), TOM.com (8,258,839 accounts), and eyou.com (1,516,976 accounts), alongside non-Chinese platforms like Nate.com (574,258 accounts) and various Yahoo, Gmail, Hotmail, MSN, and Live domains. The aggregated dataset, offered for sale at BTC 0.8873 (approximately $800), represented one of the largest credential dumps linked to Asian internet services at the time, though the article did not specify the exact breach methods or timelines for NetEase’s systems.
The incident exposed NetEase users to heightened risks of credential-stuffing attacks, phishing, and identity theft, given the company’s role as a provider of email, gaming, and e-commerce services. While the article noted Experian’s denial of involvement in the breach, it contained no statements from NetEase regarding incident validation, containment measures, or user notifications. The sheer scale of the leak—particularly the over one billion accounts tied to 163.com and 163.net—highlighted systemic vulnerabilities across multiple platforms, with compromised data remaining actively marketed on dark web forums. Secondary impacts included reputational damage to NetEase’s email subsidiaries, notably Yeah.net, which the article described as historically associated with phishing scams prior to this breach. No technical details about data exfiltration vectors, malware, or internal detection mechanisms were disclosed in the source material.