Why Unknown Passengers Appear in Your 12306 Account and Can't Be Deleted

Several netizens have reported that unknown passenger entries have mysteriously appeared in the "traveler" list of their 12306 accounts, and these entries cannot be deleted within the platform’s 30‑day restriction period.

The issue first surfaced when users, while checking tickets for themselves or friends, discovered strangers in their saved contacts. Some users also reported that after assisting friends with "ticket‑grabbing" services, their accounts were logged into at night and used to purchase tickets.

Official 12306 customer service explained that the most common cause is users authorising third‑party software or platforms to access their 12306 account. These third‑party services store the account credentials and may misuse them to add unauthorized passengers for ticket purchases.

Third‑party platforms, especially those offering "acceleration packages" to improve ticket‑grabbing success, do not actually change the official queue order. Ticket acquisition still depends on two scenarios: (1) a seat becomes available due to another passenger’s cancellation or change, or (2) the railway adds temporary trains based on real‑time demand. The so‑called "acceleration" merely monitors seat availability or logs in with the user’s authorized credentials.

Some platforms even employ a paid "manual ticket‑grabbing" mode that randomly binds other users' identity information to the attacker’s account, explaining why strangers appear in the passenger list.

The incident revives concerns about personal information security. A similar large‑scale data leak occurred in December 2014, exposing over 130,000 records—including usernames, plaintext passwords, ID numbers, and emails—through black‑market channels. Although 12306 later clarified that its database passwords are encrypted, the breach likely originated from third‑party platforms or credential‑stuffing attacks, where hackers reuse leaked credentials to try logging into 12306.

Users are advised to unbind any third‑party authorisations by calling 12306 customer service with their registered phone number, then change their password repeatedly to cut off illegal access. Entries that have already been added can only be removed after the 30‑day lockout expires. In extreme cases, users may cancel their account at a railway ticket office and re‑register.

Railway authorities repeatedly stress that 12306 is the sole official ticketing platform and recommend purchasing tickets only through the official website or app, avoiding any third‑party services that request the 12306 username and password.

Overall, the "unknown passenger" phenomenon serves as a vivid lesson on personal data security in the digital age: each unnecessary authorisation or password reuse lowers the security barrier, and protecting one’s official 12306 credentials is the first step toward safeguarding personal information.