Data leak of 130,000 China Railway passengers including usernames, passwords, and e-mail addresses

Personal data of more than 130,000 customers who purchased train tickets on China’s official online railway ticketing site, 12306.cn, were leaked due to an unknown reason. The travellers whose data has been leaked are panicking as such data can be used for identity theft, online fraud or any other illegal activity.

Real-name registration must be provided to purchase tickets via the official website.The local news reported that data such as usernames, e-mail address, passwords, and phone numbers of over 130,000 customers of official railway ticketing website of China Railway, 12306.cn had been leaked. The leak is discerning for the Chinese citizens as all the China Railway passengers are required to register with real names and email ids to purchase the tickets.

The incident was first discovered by local IT security vendor Woo Yun and later confirmed by the website, 12306.cn. Before that, however, local news websites had started reporting about the leak and triggered a panic among the 12306.cn users.

China Railway while confirming the leak said that the said leak was not caused by its website and had originated from other online sites. “All the leaked information contains plain text, while the information in our website’s database is completely encrypted, which means the data leaked via other websites or channels,” it said in a statement.

Though the real cause of the leak is still being investigated, preliminary reports suggest that the leak could have been the result of third-party plugins or App used by 12306.cn.