China has been in the news recently being blamed for being the origin of various hacking attacks against the rest of the globe, but last week brings news of Chinese citizens themselves being targeted by hackers. A massive leak of 100 million Internet usernames, passwords, and e-mail addresses exfiltrated from dozens of China’s most popular online destinations including shopping, microblogging, social networking, and gaming websites.

The leak happened between December 21^st and 26^th and last week this caused widespread distress among Chinese citizens as they rushed to change all of their passwords to avoid having their accounts compromised. Caixin Online has much of the news about the leak, but the huge number of total leaked accounts is only the beginning of the story.

The anti-virus company Qihoo 360 had their vice president, Shi Xiaohong, come forward to attribute the hacks to companies failing to encrypt their users’ passwords and login credentials. If this is the case, the lack of encryption is extremely prevalent. Caixin Online mentioned that legal experts they consulted suggested this revealed fatal flaws in the Chinese laws regulating Internet security and online ID theft protection.

The United States might have similar issues, being that numerous corporations have been struck by hackers who have stolen login credentials for users, but there are no laws requiring companies to encrypt such information. Instead, users must rely on the common sense of corporations to protect that information. Often, only credit card and financial information is held in encrypted tables to prevent their easy pilfering by hackers. This has been an issue especially with LulzSec and even the Sony PlayStation Network blackout after hackers broke into their systems and stole numerous user credentials.

“Currently there are only ten laws and regulations, mostly pertaining to the information industry,” Beijing Lanpeng Law Firm head Zhang Qihuai said, but because legislators have yet to clarify how exactly the general rules should be applied “it’s impractical to use them to protect users.”

Chinese officials have urged companies to immediately warn their users and ask them to change their passwords immediately; they have also strongly suggested that they begin using encryption on sensitive user information such as usernames and passwords.

In the past, when user’s credentials have been stolen and leaked to the Internet it has been done by groups such as AntiSec or LulzSec in order to embarrass large corporations and show their users exactly how unprotected their data is in their hands. It is a poor time for any company that takes login information from users to go without effective encryption protecting their databases of login credentials.

Also, since many users keep the same usernames and passwords across multiple sites—primarily for ease of memory—this opens up many of those who have had their passwords taken once to be opened up to further intrusions when hackers test other sites with those same credentials.

As a result, it is best for users to use different passwords for different sites on the Internet and to change them regularly.