Hackers Strike Tianya Within 12 Hours of Its Revival: A Data Crisis Amid Nostalgia

On the early morning of June 1, 2026, the long‑dormant Tianya community (tianya.net) reopened after more than three years of inactivity, instantly rekindling nostalgia among Chinese netizens. The platform announced that users’ posts, friends, and saved articles were still available and introduced a new domain and a “Genesis Member” program that mixes Web3.0 elements with e‑commerce.

Attack Timeline and Scale

On the same day, a post titled “China 2026‑6‑1‑tianye.net‑Hackers Memoir: Tianya Twelve Hours” appeared on the BF hacker forum. The author, “ChinaTomchen”, claimed to have dumped more than 127 million user records—including usernames, password hashes, and registration emails—within twelve hours of the site’s launch.

Technical Stack of Tianya

Tianya’s revival relied on a customized Discuz! front‑end, a Kubernetes‑orchestrated TiDB 7.x cluster, row‑level encryption, and a hybrid high‑defense setup spanning Alibaba Cloud and Tencent Cloud. The operators described the architecture as “solid as a fortress”.

Attack Methodology

The attackers launched a multi‑vector assault that included HTTP/2 flood, CC (Challenge‑Response) attacks, and DNS amplification. The flood overwhelmed both the defense mechanisms and the logging system, creating “noise” that concealed further exploitation.

Using a large pool of residential and mobile proxies, the attackers performed low‑frequency probes of search interfaces and legacy APIs. Under the extreme load, TiDB’s query optimizer exhibited latency, which the attackers leveraged to execute time‑based blind SQL injection and boolean blind injection, obtaining low‑privilege accounts.

Subsequently, they performed cross‑shard query mapping to locate the target database, directly accessed the server at IP 124.225.4.242, and exfiltrated data in small, seemingly normal batches. The exfiltration left only a minimal in‑memory backdoor, which was later cleared to erase traces.

Monetisation of the Stolen Data

The post concludes with the hacker offering the AES‑256‑encrypted data set for $10,000 and providing a Telegram contact for the transaction.

Broader Implications

The incident highlights the fragility of legacy internet communities undergoing digital transformation. While Tianya’s revival attempted to modernise its stack, the sudden traffic surge and the inherent performance edge cases of TiDB under extreme load created exploitable windows.

For ordinary users, the breach means that decades‑old email addresses and password hashes could be exposed again, especially for accounts that have never changed passwords.

Ultimately, the case underscores that nostalgic platforms must invest beyond superficial upgrades; high availability, robust defense, and rigorous data‑security practices are essential to survive in the 2026 internet ecosystem.