[kerng]

It makes perfect sense that the government gets all the cleartext passwords forwarded.

People reuse passwords, so its likely that WeChat passwords allow access to other systems (like Facebook, Twitter, Alibaba, Amazon,...)

This attack angle of just collecting passwords for government has not yet occured to me before.

[baybal2]

I'm surprised that's not being raised before. Tons of passwords in the web are still 100% plaintext on the other end of TLS connection.

And then people getting surprised from where do those ginormous plaintext password leaks come from.

All kinds of popular online forum engines were being hacked for password captures since times immemorial. PHPBB still uses server side hashing for example.

Now, for people concerned, take a look who was the party who sank crypto forms at W3C.

[justadudeama]

Not saying this isn't important data, but at some point does 2FA make this an innefective method to spy on your citizens? If I have 2FA on my Amazon, if the CCP tried to get into it I would just get a notification with a code, and do nothing except maybe change my password. Additionally, there are probably all sorts of account logs saying "this is who logged in when from what IP address" that are associated with a lot of these accounts.

Direct access via the companies themselves is probably much more valuable today.

[tialaramex]

SMS-based 2FA is pretty weak, I think you can reasonably assume that a resourceful government adversary can silently divert SMS codes intended for your phone to their systems.

In the case of China in particular we know that part of the "Great Firewall" have IP addresses associated with Chinese residential ISPs, whether those are "hijacked" or the relevant agency just asks nicely we do not know. So it may be that "Chinese central government intelligence agency" and "My neighbour's WiFi" are similar IP addresses if you live there.

But yes multi-factor authentication can reduce the impact of credential stuffing attacks.