We found that one of Kii Cloud "CN3" sites in China had been misconfigured and some data stored by applications could have been accessible externally. The CN3 site is only used by free and trial developers. As of now, we have already fixed this issue and contacted the developers who have applications in CN3.
A part of our application's cached data was potentially accessible externally. They are in our application's internal format, and to our best knowledge, there's no evidence that those data were accessed by external parties.
It may affect all applications using the CN3 site, and potentially part of data used by at most 1.6M end users (including inactive users). The CN3 site is located in China mainland, so most of the users affected are expected to be in China.
Background of this issue
The affected CN3 site (the only one affected) is in Aliyun Cloud. Most of Kii platform sites are in AWS and are unaffected. This site was built in 2014 at the time when Aliyum was actively enhancing its features. Because of the circumstances, the site has a unique security requirement as compared to other sites. The operational change we added recently lacked enough consideration for this uniqueness and introduced a misconfiguration. Although the misconfiguration did not cause any issue in AWS and newer Aliyun sites, it caused an issue in this site and triggered the incident.
The misconfiguration did not affect any sites outside China or other Aliyun-based sites.
The misconfiguration was corrected, and we have contacted the developers who have applications in the CN3 site. Kii DevOps team is currently implementing wholistic protection so as to ensure that this kind of issue will not happen again in future in any sites. We deeply apologize for the inconvenience we have made by this issue.