Qihoo 360 Accidentally Exposed a Private SSL Key, Putting Its Platform at Risk

The accidental exposure of Qihoo 360’s private SSL key underscores how a single misstep can jeopardize an entire digital ecosystem. The leaked key belongs to the myclaw.360.cn domain, a critical component of the newly launched 360 Security Claw AI assistant, and remains valid until 2027. With full control over the certificate chain, threat actors could craft convincing phishing sites, perform man‑in‑the‑middle interceptions, or hijack the AI‑agent wrapper, potentially compromising user credentials across millions of devices.

Beyond the immediate technical fallout, the incident raises broader concerns about supply‑chain security in China’s fast‑growing cybersecurity market. Qihoo 360, often dubbed the "Chinese McAfee," commands a $10 billion valuation and serves hundreds of millions of users worldwide. Yet the failure to vet a public ZIP archive before distribution suggests gaps in internal code‑review and asset‑management processes. Such oversights can erode confidence among enterprise customers and regulators, especially as the firm faces ongoing antitrust scrutiny and past allegations of hidden backdoors.

For businesses, the lesson is clear: robust key‑management practices are non‑negotiable. Organizations must enforce strict controls over private certificates, employ automated scanning for sensitive artifacts, and maintain rapid revocation procedures. As cybercriminals increasingly target supply‑chain weaknesses, firms that demonstrate rigorous security hygiene will retain competitive advantage, while lapses like Qihoo 360’s could trigger reputational damage, regulatory penalties, and loss of market share.