AcFun, which operates one of China’s popular platforms to share video and animation, has been hit by a cyberattack in which “tens of millions of users’ information” were compromised, the website South China Morning Post said.
“The reason for this catastrophe is, fundamentally, because we didn’t make the website secure enough,” AcFun said in a statement. The 11-year-old company apologised to its users for the security breach, while assuring them evidence of the security breach was collected and that the incident has been reported to the police. It suggested that users who did not log on to the AcFun site after July 7, 2017, when the company’s login system was updated, to change their passwords.
Chinese social media on the same day circulated screenshots taken from an anonymous corner of the internet known as the dark Web, which showed that intranet access to AcFun and bicycle-sharing service Mobike were put up for sale. Access to AcFun’s intranet was priced at 400,000 yuan (US$62,457), while the cost of Mobike access was not stated. Both deals accepted only cryptocurrency bitcoin.
Later that day, Chinese social media circulated another screenshot from the dark Web of a hacker named “SakuraK”, who claimed responsibility for the cyberattack on AcFun and was selling the firm’s intranet access as “revenge” for ignoring more than 10 emails that he sent to the company. He did not state what those emails were about or when he sent them.
The hacker published the personal data – username, email address and password – of 300 AcFun users on Github, a popular online hosting service for software developers, on Wednesday afternoon. He threatened to publish the information of 3,000 more AcFun users by June 15 if he received no response from the company. Data from another 10,000 users will be published by June 18 if there was still no response, he said.
A spokeswoman of Beijing-based AcFun said the company was “handling” the matter, but declined further comment. She did not immediately reply to an inquiry on the number of AcFun’s monthly active users.
A Mobike spokeswoman said the bike-sharing company was doing a security check on its website and that it had not found any data leakage. There was no immediate response to an inquiry about the data breach the Ministry of Industry and Information Technology.
AcFun’s disclosure of the cyberattack has come more than a week after Kuaishou, the social video-streaming app operator backed by Tencent Holdings, acquired the company for an undisclosed amount.
Under the terms of that deal, AcFun retained separate branding, operations and development. Its main domestic rival, Nasdaq-listed Bilibili, reported 77.5 million monthly active users during the first quarter of this year.
AcFun had been criticised by its users last year for server instability issues.