Data belonging to 538 million users of Chinese microblogging site Weibo has been found for sale of the dark web for a surprisingly low price.

Discovered by Chinese blockchain news outlet Jinse March 19, the data was found listed for sale for 0.177 bitcoin ($1,182). ZDNet reported a second listing of the same data for RMB1,799 ($254).

The data includes real names, site usernames, gender and location details as well as the phone numbers of 172 million users. The database does not include passwords, explaining why the database was being offered for a low price.

Weibo Corp. said in a statement today that the data had been gathered through multiple third-party platforms, including a service that matched different users based on their address book, Weibo nickname, QQ number and email address. The company, which is listed on the Nasdaq, went on to note that it does not store user passwords in plain text and uses encryption to make sure that passwords cannot be stolen.

“However, the current security situation is severe and some users still use the same account passwords on other platforms which may lead to the risk of their Weibo accounts being stolen,” the company added.

Although little-known in the west, Weibo is huge in mainland China and is roughly the equivalent of Twitter Inc. in the west. According to eMarketer, about 27% of all mainland Chinese use the platform as of 2019 and that figure is expected to grow to nearly 30% in 2021.

Tim Erlin, vice president, product management and strategy at cybersecurity firm Tripwire Inc. told SiliconANGLE that transparency and details on a breach are difficult to get at the best of times, but getting accurate details out of China in the midst of a global pandemic is even more unlikely.

“This collection loses significant value without passwords included but that doesn’t mean those affected shouldn’t be concerned,” Erlin said. “A large collection of valid phone numbers is very useful for running any variety of SMS campaigns or attacks. Valid usernames can be used in phishing campaigns. This collection of data might be combined with other stolen sets of data to produce even more value for attackers.”

Image: jonrussell/Flickr