A security researcher claims to have obtained usernames and passwords of Xiaomi Mi Account holders by using a zero-day exploit in Xiaomi's servers.
According to a report by The Hacker News, Taiwanese security researcher Chen Huang contacted the website and "provided partial database of a few thousands of Xiaomi users, which confirmed that the millions of Xiaomi Mi accounts has already been compromised."
Based on information publicly available, there's no way to confirm if the claims of the researcher are true. NDTV Gadgets made repeated attempts to contact Xiaomi India for a statement on the subject before this report was filed, but a response wasn't forthcoming. Xiaomi ultimately gave an email statement (reproduced below) saying the claims of the researcher using a zero-day data exploit on company's servers were a "hoax" and the username-passwords represented old user accounts that had since been migrated to the revamped Xiaomi Account integrated system.
The Hacker News report claims that Huang was supposed to present a paper on the subject at a security conference in Delhi, India next month, but he has since been removed from the list of speakers. The researcher was to "demonstrate how Xiaomi Phones have been sending device data and personal data of Xiaomi Phone user to Chinese Servers. The Researcher will also release Server Logs, Mi Account username, Emails and passwords of millions of Xiaomi users which have been obtained using a Zero Day flaw in the Xiaomi Servers."
The conference website still has Huang listed as one of the speakers, but the organisers reportedly told The Hacker News that "'Privacy-Alert: Exposing China-based XIAOMI Mobiles' session has been withheld till the time Xiaomi investigates the data breach and accusations made by the researcher. According to the paper, the vulnerability could have been utilised by anyone to convey a data and privacy breach."
Here is the email statement issued by Xiaomi on the report:
We have verified that the zero-day data breach allegation made by security researcher Chen Huang and the Ground Zero Summit organizing committee reported by The Hacker News on October 30, 2014 is a hoax. The zero-day vulnerability reported by the cyber security researcher, Chen Huang, is a deliberate falsehood, and Xiaomi is taking the necessary legal action against the parties involved.
To date, throughout Xiaomi's history, there has only been one incident in which a two-year-old user account file was leaked in May 2014. After conducting a comprehensive investigation, we concluded that file contained information from user accounts registered before August 2012 in an old version of the Xiaomi user forum website. That information became obsolete when, in September 2012, we launched the Xiaomi Account integrated system.
In response to the incident in May 2014, we immediately requested users to change their passwords. We also announced the incident publicly via social media and to our user forums on May 14, 2014.
Chen Huang has recently threatened to expose data from the old user account file during a session at the upcoming Ground Zero Summit 2014, falsely claiming it to be data compromised through an existing vulnerability. This is a grave accusation, as we take our users' privacy very seriously, and we will seek legal action against the involved parties.