Chinese flag in a crowded street showing data leak

Massive Data Leak Exposes 8.7 Billion Records From Hundreds of Millions of Chinese Individuals

A massive data leak has exposed over 8.7 billion personal and business records of primarily Chinese people. The database was left unsecured on an Elasticsearch cluster with more than 160 indices hosted on bulletproof infrastructure.

The database was left misconfigured for multiple weeks before it was finally secured, giving threat actors sufficient time to exfiltrate data. Researchers believe that the data was already compromised.

Chinese data leak puts millions at risk of account takeovers

The Chinese data leak put millions of impacted individuals at risk of various cyber attacks, including phishing, account takeovers, fraud, and identity theft.

According to the researchers, the dataset included the victims’ full names, phone numbers, date and places of birth, gender and demographic information, national ID numbers, home addresses, email accounts, social media identifiers, and passwords.

Exposed plaintext and poorly protected passwords are particularly valuable for credential stuffing attacks, leading to multiple account takeovers, especially for individuals who reuse passwords across various services.

The data leak also exposed corporate and business information, including company registration details, legal representatives, business contact information, and licensing metadata. That information could enable scammers to impersonate companies or target employees.

In addition, the unsecured Elasticsearch database remained accessible to anybody who knew where to look for three weeks, giving cybercriminals ample time to copy the data. The security team that discovered the data leak suggested that cybercriminals may have already exfiltrated the data.

So far, it remains unclear whether the leaked information has surfaced on underground hacking forums or has been misused. However, other services hosted on the impacted server suggest malicious intent.

Deliberate aggregation suspected in Chinese data leak

Security researchers believe the data was intentionally aggregated rather than the result of an accidental misconfiguration. The data was also highly organized by phone numbers, IDs, and accounts, indicating a deliberate attempt to make the information more usable.

Storage on bulletproof infrastructure also suggested that the data was collected by a high-risk or non-compliant entity. The data elements also matched the types collected by data brokers.

In addition, the leaked data included updated information, as recent as 2025, suggesting it was a long-running aggregation rather than a historical leak.

According to the security researchers, the data leak affected primarily Chinese individuals across various provinces and cities, suggesting that the aggregation occurred on the Mainland.

Nonetheless, the identity of the threat actor remains unknown, as the database contained no identifying information, and no data aggregator has claimed ownership at the time of publication.

Similarly, the number of impacted individuals remains unknown because the dataset contained duplicated records, but it is likely in the hundreds of millions.

While Chinese data leaks typically contain many personal records, given the country’s large population, this exposure was particularly significant, even by Chinese standards.

Plagued by massive data breaches

China has experienced massive data breaches in the past, underscoring the persistent global challenges of managing large volumes of personal information. Additionally, data breaches do not spare government-linked organizations or tech behemoths and usually leak highly sensitive personal information.

In September 2025, a threat actor leaked over 500 GB of internal documents from the Chinese censorship program, the Great Firewall of China.

Another data leak exposed 631 GB of data, including over 4 billion financial and personal records from technology giants WeChat and Alipay, putting victims at risk of fraud.

Chinese social media behemoths QQ and Weibo, courier service ShunFeng, and dozens of other organizations also leaked 1.2 billion records in 2024.

In 2022, the Shanghai National Police data leak exposed 23 terabytes of personal information for over a billion individuals, with the hacker demanding 10 bitcoins, worth about $200,000 at the time, as ransom.