Cyber Incident Victim: Tencent
Date:
Oct 2015
Location:
China
Summary
A threat actor advertised stolen user data from multiple Chinese internet companies, including Tencent's QQ.com and vip.qq.com domains, totaling approximately 129.7 million compromised accounts. The breach, marketed as "The Big Asian Leak," also impacted email and portal services from NetEase, Sina, Sohu, TOM Group, and other regional providers, collectively exposing billions of accounts. The dataset was offered for sale on dark web platforms alongside unrelated email service breaches, priced at 0.8873 Bitcoin. While the advertisement claimed extensive unauthorized access, some affected organizations denied infrastructure compromises despite the data's availability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2017, a dark web entity known as "DoubleFlag" advertised a massive data breach collectively termed "The Big Asian Leak," compromising user accounts from multiple Chinese and South Korean internet companies. Tencent Holdings Limited was among the affected entities, with attacker listings specifying the theft of 126,936,489 user accounts from its primary QQ.com domain and an additional 2,759,960 accounts from its vip.qq.com subdomain. The breach impacted QQ.com’s integrated services, which included instant messaging, social gaming, microblogging, music streaming, and e-commerce functionalities. Other major compromised entities included NetEase (with over 1.2 billion combined accounts across 126.com, 163.com, and Yeah.net), Sina Corporation (31 million Sina.com accounts), Sohu (23 million Sohu.com accounts), and South Korea’s Nate.com (574,258 accounts). The attacker bundled these datasets with unrelated breaches of Yahoo, Gmail, Hotmail, MSN, and Live accounts, totaling over 1.5 billion records, and priced the entire collection at 0.8873 Bitcoin (approximately $800 USD at the time).
The incident exposed authentication credentials for critical consumer platforms but did not include specifics regarding data types beyond "user accounts." Tencent’s QQ.com breach represented the second-largest single dataset in the listing after NetEase’s 163.com. No operational disruptions, forensic findings, or containment actions by Tencent were documented in the source material. Third-party cybersecurity firm Experian disputed claims of infrastructure breaches affecting their systems but did not comment on the legitimacy of the datasets. The listing’s prominence on dark web markets raised concerns about credential-stuffing attacks targeting Asian internet services, given the scale of reused credentials across regional platforms. The attacker’s monetization strategy relied on bulk sales rather than per-record pricing, suggesting targeting of high-volume buyers seeking credentials for fraud or espionage campaigns.