Back in December 2011, reports were circulating regarding a data breach at one of the big Chinese social networking sites, Tianya.cn that suggested the login credentials of some 40 million users were potentially exposed. Clear text usernames and password combinations were stolen by hackers during the breach, although a Tianya spokesperson at the time said that only those users who registered before November 2009 would have had clear text logins as after that the service had implemented encryption (!) - quite why the existing membership data could not have been encrypted at this point is, frankly, beyond me. Word on the webvine at the time was that unencrypted data was not secured or deleted when the servers and systems were upgraded, and the Tianya administrators had to shoulder that failure. While the 40 million figure bandied around at the time seemed huge, later reporting suggested it wasn't that bad; 'only' 4 million users ended up having their usernames and passwords published online by the hackers for everyone to see.
Fast forward to now, and the Tianya story just keeps on giving. Steve Thomas, the co-founder of PwnedList, was interviewed recently and reckons that his outfit has managed "to find over 28 million credentials, including plaintext passwords" from that breach in 2011. The data was, according to Thomas, provided by a Chinese hacker who pointed PwnedList at a 'leak share' site including the Tianya dataset.
If you are concerned that your logins may have been compromised, you can run a quick (and free) check for mentions of your email address in the PwnedList database here. Thomas has promised a new feature coming soon that will enable searching of the breach database by username and Twitter nickname as well as email, and a new database of phishing attack victims for good measure.
