Cyber Incident Victim: Youku Inc.
Date:
Jan 2016
Location:
China
Summary
A Chinese video streaming platform suffered a significant data breach involving approximately 100 million user accounts, which were subsequently sold on the dark web for $300 in Bitcoin. The compromised data included email addresses and passwords decrypted from MD5 and SHA1 hashes, with prominent email domains such as 163.com, qq.com, and xiaonei.com identified in samples. Independent verification by a breach notification service confirmed the exposure, noting that a quarter of the affected accounts had previously appeared in other breaches. The stolen credentials posed substantial privacy risks to users, particularly as the decrypted passwords were already publicly accessible prior to the dark web sale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2017, a Dark Web vendor using the alias CosmicDark advertised the sale of a database containing 100,759,591 user accounts stolen from Youku, a major Chinese video streaming service. The vendor claimed the data had been compromised in 2016 but was leaked publicly in 2017, though the specific method of extraction remained unconfirmed. The stolen records included email addresses paired with passwords that had been decrypted from MD5 and SHA1 cryptographic hashes, exposing plaintext credentials. CosmicDark priced the entire dataset at $300 USD (equivalent to 0.2559 Bitcoin at the time) and provided a sample of 552 accounts for verification purposes. Analysis of this sample revealed that the majority of affected email addresses belonged to the domains @163.com, @qq.com, and @xiaonei.com. Independent verification by cybersecurity researchers confirmed that the decrypted passwords in the sample were already circulating publicly prior to this listing, indicating potential prior exposure or reuse of credentials from other breaches. The scale of the breach represented one of the largest known credential thefts targeting a Chinese digital platform at the time.
HaveIBeenPwned, a credential monitoring service, independently validated the breach on April 15, 2017, noting that approximately 92 million Youku accounts were exposed with 25% already present in their existing breach database. The public availability of decrypted passwords heightened risks of credential-stuffing attacks against users who reused passwords across multiple services. No public statements or user notifications from Youku regarding the incident were documented in the available source material at the time of reporting. The breach occurred amidst a surge in Dark Web marketplace activity, with contemporaneous listings including 21 million compromised Gmail and Yahoo accounts, 640,000 decrypted PlayStation accounts, and credentials from multiple Bitcoin and vBulletin forums. The exposure of Youku credentials posed significant privacy and account security threats to its user base, particularly given the platform's prominence in China's digital ecosystem.