Learning app suspected of mass data leak

Chaoxing Xuetong is believed to have leaked up to 170 million items of private information.

Photo from CFP

Photo from CFP

By CHEN Zhenfang


On June 20, Chaoxing Xuetong, a learning app for college students, was accused of leaking 170 million pieces of personal user information. The leaked data includes users’ names, mobile phone numbers, gender, schools, student numbers, and email addresses.

The company claimed on Tuesday that no clear evidence of user information leakage had been found, and the public security organ was involved in the investigation.

“We do not store the user’s plaintext password and adopt one-way encrypted storage. In theory, the passwords will not be leaked,” the company said.

On the same day, Jiemian News attempted to contact Chaoxing Xuetong several times, but as of going to press, no reply had been received.

The Chaoxing Xuetong app has a high penetration rate in Chinese universities.

Many university students told Jiemian Education that they used Chaoxing Xuetong for real-name authentication, and they have been using the app frequently to study elective courses, attend classes, sign in, download school materials, and take exams during the pandemic.

LI Xiaolan, a junior college student, told Jiemian Education that the app showed that she had used the site 200,800 times, which means that she browsed it more than 200 times a day.

However, she said she rarely used the application during the holidays, so it was impossible to reach such high numbers.

On social media platforms such as Weibo, many students also posted screenshots of their own learning interfaces, claiming that the number of use times displayed was far higher than the reality, further stoking student fears.

Many students said they used the same mobile phone number and password to register many personal apps and bank cards and were worried about the consequences of the data leak.

This is not the first time Chaoxing Xuetong has been under fire for data concerns. In January 2021, the company was named by the Ministry of Industry and Information Technology twice and notified for its illegal collection of user information. The official notified the application again in July of the same year for inspection and rectification.