•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Qihoo 360, China’s largest cybersecurity company, has nearly 460 million users and a valuation of about $10 billion. In early 2026, an open-source AI tool called OpenClaw became extremely popular in China because it allows users to delegate tasks to artificial intelligence. Security researchers quickly flagged OpenClaw for dangerous vulnerabilities, including risks of password theft, exposure of personal data, and potential abuse that could allow attackers to control user devices.
In response, Qihoo 360 launched its own product, 360 Security Lobster, built on the OpenClaw platform but packaged with promises of greater safety, ease of use, and security. During the launch, founder Zhou Hongyi said 360 Security Lobster would not harm systems, would not delete data, and would never leak passwords or users’ private information—statements intended to build trust among millions of users.
Just six days after the launch, on March 16, security researchers uncovered a serious issue. They found that the installer released by Qihoo 360 had inadvertently embedded an SSL private key. The SSL private key is the cryptographic key used to secure the platform’s infrastructure. Researchers said that anyone who downloaded the app and unpacked the file could locate the key without any hacking skills.
The private key can function like a master key, enabling anyone to impersonate Qihoo 360’s system. This creates risks such as fraudulent login pages and the ability to covertly intercept and decrypt user data.
The risk is amplified because 360 Security Lobster was created to address vulnerabilities associated with OpenClaw. While earlier OpenClaw issues were described as related to usage or external software, this leak directly affects the system’s infrastructure. Experts said the impact is more severe than prior vulnerabilities that CNCERT had warned about in relation to OpenClaw.
Experts also characterized the problem as a basic software development error rather than a complex bug. They said sensitive data should be stored separately and must not appear in externally released files.
Qihoo 360 said it revoked the leaked private key to prevent misuse and claimed that no users were affected. However, because the key was leaked by the company itself, users could still be targeted without realizing it.
The incident underscores a broader point for the AI development race: even cybersecurity firms can make fundamental mistakes, with consequences that extend beyond technology to the trust of millions of users.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
