[Updated] Have Millions Of Xiaomi User Accounts Been Compromised? Delhi Court’s Restraining Order Shows It Might!

[Updated with Xiaomi’s statement]

Xiaomi has obtained a permanent injunction against Indian InfoSec Consortium and Taiwan based security expert Mr. Chen Huang that restrains them from disclosing any information in regards to Xiaomi user accounts that they may possess.

Here is the entire story.

Taiwan based security researcher, Mr. Chen Huang was supposed to give a presentation on his research, titled: “Privacy-Alert: Exposing China-based XIAOMI Mobiles” at Asia’s biggest hackers conference, Ground Zero Summit (G0S) 2014 organized by Indian InfoSec Consortium in New Delhi (on 13th & 14th November).

In regards to his presentation, the website said,  “In this session Taiwanese Researcher will demonstrate how Xiaomi Phones have been sending device data and personal data of Xiaomi Phone user to Chinese Servers. The Researcher will also release Server Logs, Mi Account username, Emails and passwords of millions of Xiaomi users which have been obtained using a Zero Day flaw in the Xiaomi Servers.”

In short, Chen Huang was going to demonstrate how Xiaomi phones have been sending data to Chinese servers and he had server logs, account user names, emails and passwords to prove it.

From Xiaomi’s point of view, they have done the right thing by bringing a restraining order, so as to ensure that their user data does not become public. However, there is something quite startling in the what Xiaomi has said. They have mentioned that the researcher may be holding millions of Mi phone user names and passwords, which is quite significant.

It is known fact that Xiaomi was sending the user data to Chinese servers, and subsequently they took steps to ensure user has a choice of avoiding it. The significant thing however this court order points is that Xiaomi thinks millions of user accounts may have actually been compromised.

[Update]

Manu Kumar Jain, head of Xiaomi India operations, got back to us with their side of the story. Here is the official statement made by him.

We have verified that the zero-day data breach allegation made earlier by security researcher Chen Huang is a hoax. Chen Huang had threatened to expose Xiaomi’s user data during a session at the Ground Zero Summit 2014, but did not approach us under the “Responsible Disclosure” guidelines.

 After a comprehensive investigation, we found that the data Chen Huang claimed to have obtained was from a two-year-old user account file that was unfortunately leaked in May 2014. The information contained in that file, however, was obsolete. It came from user accounts registered before August 2012, before we launched the Xiaomi Account integrated system in September 2012.
Chen Huang had made deliberately false and defamatory claims that he has obtained the data through an existing vulnerability. We therefore took the necessary legal action and successfully obtained a court order to prevent Chen Huang from taking the stage to publicize untruths with the sole aim of damaging Xiaomi’s reputation.

 We treat our users’ privacy very seriously. We do not collect or store users’ personal information without users’ consent, and we take numerous steps to ensure that any data we collect is transferred and stored securely.

 

Complete Court Restraining Order.