China citizens on the streets of Shanghai showing data leak of personal data

Data Leak May Have Exposed Sensitive Information of 1 Billion China Citizens; Hacker Offers 23 TB of Personal Data on Underground Forum

The Chinese government has recently made a series of strong moves to keep the personal data of citizens from escaping across its borders, but it may all have been for nothing if the reports of a recent data leak are accurate. The data of 1 billion China citizens, or about two-thirds of the country’s entire population, appears to be available for sale on an underground forum.

The hacker claims that they have 23 terabytes of data on China citizens filched from the Shanghai National Police (SHGA) database. These records include full names, addresses, birthplace, national ID number, and mobile phone numbers. The hacker also claims to have “several billion” court case records that contain “all crime and case details.”

The full package is being offered for 10 bitcoin, or about $200,000. The hacker has shared a sample of 750,000 records to verify accuracy, and several security researchers have said that they have been able to verify that at least some files contain accurate contact information for China citizens.

Data leak of 1 billion China Citizens may be linked to accidentally exposed ElasticSearch database

The full scope of the data leak has yet to be independently verified, but it would be one of the largest breaches in world history; only the 2013 breach of Yahoo!, the 2019 breach of Alibaba and the 2017-2018 breach of India’s Aadhar identification system had a higher count of exposed records of personal data.

Several newspapers, including The Guardian and Reuters, said that they could not verify the authenticity of the breach after trying a number of included mobile phone numbers that had been disconnected. Others, such as the Wall Street Journal, had mixed success with the people they reached out to. Some independent security researchers also say that they have verified at least some of the records in the sample, including some data of residents of Tibet.

There are few leads on the hacker at this point other than a username, “ChinaDan.” This was the name used to advertise the stolen personal data on the underground site Breach Forums. Users of the popular Weibo and WeChat social media platforms quickly took to forums to discuss the news once it broke, but China citizens quickly found mentions of the data leak blocked on these services.

Zhao Changpeng, CEO of Binance, speculated on Twitter that an ElasticSearch database accidentally exposed to the internet may have been the source of the data leak. Changpeng said that the company’s threat detection experts had found a Chinese-language blog post from a developer that worked on the database, who had apparently somehow managed to include the login credentials in the post.

Sensitive personal data of China citizens may be freely available

The incident calls to mind the 2017 breach of Equifax, which saw the sensitive financial information of nearly half the entire population of the United States exposed. China citizens are in an even worse position with this data leak, however; while the Equifax data never surfaced in the public sphere (and was most likely stolen by hackers working for the Chinese military, as an early 2020 indictment indicates), the Shanghai police data is freely available to anyone that wants to purchase it.

There is still some debate as to how legitimate the Shanghai police data leak actually is, however. Chatter from other cyber criminals that frequent Breach Forums expressed a good deal of skepticism, mostly centered on the relatively low asking price. Some noted that the hacker would be hunted to the ends of the earth for a personal data leak of this magnitude, even putting their own life at risk, making the $200,000 price tag seem relatively paltry. Other posters did some of their own independent checks of the sample and found that some listed data was inaccurate.

The trove of personal data had no takers even at that price at the time that Breach Forums closed its offer thread on July 3, with the best offer being six bitcoin. Any buyers could face the same trouble that the hacker faces, with the added complication of severe penalties under China’s Minor Protection Law if the alleged billions of court records contain information on persons under the age of 18.

At least one team of security researchers thinks this is a hoax, however. A team at Check Point Software believes that this is a collection of tens of millions of files of personal data from several prior known breaches, the largest being an attack on a major courier company: “Check Point discovered that the large database claimed as stolen from the Shanghai Police’s database was actually seen in an online cybercrime forum, which specialises in the trade of stolen databases. Within this forum, it was found that there are a variety of other China related databases offered for sale as well, such as a China Courier Database with 66M records, that were allegedly stolen from ShunFeng Express in 2020, as well as other databases from Chinese Driving Schools.”

There is still some debate as to how legitimate the Shanghai police #dataleak actually is. Chatter from other #cybercriminals that frequent Breach Forums expressed a good deal of skepticism. #cybersecurity #respectdataClick to Tweet

Regardless of the source of the data leak, the incident demonstrates how many different ways in which personal data can wind up in the hands of threat actors. Camellia Chan, CEO and founder of X-PHY, sees this as a call to all organizations to review and tune up cybersecurity posture: “While details remain unclear, the lesson organisations can immediately take away is that cybersecurity needs to be holistic. Cybercriminals will look for any way in, so even if a company feels that they have all internal processes locked down – which is statistically unlikely – the third-party they use to deliver office milk or some other service may not. That’s their weak spot. Businesses can never take their eye off the ball. A good cybersecurity posture isn’t a one-and-done tick box exercise, but an ongoing proactive, intelligent and self-learning process. That way, organisations never stand still in the face of ever-more innovative cybercriminals but have a stance that continues to evolve around today’s threats.”


Senior Correspondent at CPO Magazine