China Railway Corporation's website is compromised
12306网站乘客信息遭泄漏

The China Railway Corporation has announced that police have detained two people suspected of illegally obtaining and disclosing personal information from its official ticket purchasing website,www.12306.cn. They urge consumers not to use the same password for different websites or to purchase tickets from a third-party website.

The company said on its official Weibo account that two suspects -- surnamed Jiang and Shi -- were arrested on Thursday night. The pair are alleged to have illegally accessed user information stored in the website's ticket sales system, using usernames and passwords that had been leaked by other websites for profit. The theft comes amid peak travel season in China, as many attempt to profit from passengers. Experts say the website should improve its security to prevent this happening again.

"Suspects could get information simply by trying users’ details leaked from other websites. Over 140,000 personal ID numbers, e-mail addresses and phone numbers of train ticket buyers had been leaked online for profit," said Li Tiejun, Internet security expert.

The leak was reported by an internet security monitoring platform, which gave it its highest risk level.

"One internet user saw someone else selling user data from the ticket purchasing website. He then found out his own data were also on sale.

He was so angry that he reported it to us," said Meng Zhuo, co-founder of Wooyun.org.

Experts say as no security code is required for repeatedly logging into the website, it has a major bug. Consumers are advised to use a more abstract username, and change their passwords regularly.