What Happened
In late 2016, the Chinese video streaming service Youku suffered a data breach that exposed approximately 92 million user accounts, with some sources reporting over 100 million records compromised. The breach occurred on December 1, 2016, and was publicly discovered and verified in April 2017. The exposed data included email addresses and MD5-hashed passwords, with some accounts also containing phone numbers and viewing history. The breach was attributed to security vulnerabilities including an unpatched SQL injection vulnerability and a misconfigured Elasticsearch server that allowed attackers to bypass system firewalls and access core databases. The stolen data was subsequently sold on dark web marketplaces for approximately $300 USD, highlighting the massive privacy threat posed to Youku’s users and raising concerns about the company’s failure to implement adequate cybersecurity protections required by Chinese law for platforms handling data from over one million users.
