Qihoo 360 leaked wildcard SSL key — 461M affected

Security researcher Lukasz Olejnik publicly flagged the installer disclosure on X on March 16, 2026, after extracting the files from the package. (vpncentral.com) The embedded certificate carried the subject CN=*.myclaw.360.cn and was issued by WoTrus CA Limited with a validity window from March 12, 2026 to April 12, 2027. (awesomeagents.ai) Standard OpenSSL modulus checks produced identical MD5 fingerprints (446097b7674080186a469ecb0945f5af) for the RSA key and certificate, verifying the installer contained the matching private key. (awesomeagents.ai) Researchers reported the files lived inside the installer at /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials and included additional myclaw.360.cn credentials alongside the key. (awesomeagents.ai) 360 announced it applied for revocation of the affected certificate and stated the *.myclaw.360.cn name resolves to 127.0.0.1 and is used for local-only services, a claim accompanied by the revocation action. (kucoin.com) The package is tied to 360’s newly released OpenClaw-based agent branded 360安全龙虾 (Security Claw), which entered public distribution in mid‑March 2026, and the company is reported to serve roughly 461 million users with an estimated $10 billion valuation. (163.com)