Billion-record stolen Chinese database for sale on breach forum
Appears to have leaked from a cloud thanks to sloppy coding
A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police.
Over the weekend, reports started to surface of a post to a forum at Breached.to. The post makes the following claim:
In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens.
HackerDan offered to sell the lot for 10 Bitcoin – about $200,000. We've saved HackerDan's post as a PDF in case it vanishes.
HackerDan released sample datasets: one containing delivery addresses and often instructions for drivers; another with police records; and the last with personal identification information like name, national ID number address, height, and gender.
China has a national police force, and that presumably has a Shanghai office. But an entity called the "Shanghai National Police" is hard to find.
Media outlets were nonetheless able to verify that the contents of the sample - whatever the source - describe actual people.
Gigantic civilian data leak if confirmed: A hacker is selling an alleged Shanghai police data leak containing 1 billion Chinese nationals' names, home addresses, ID #, phone #, criminal records, etc. Hacker says it's from an Aliyun (Alibaba) private cloud server. pic.twitter.com/IRPG35SWYI— Zeyi Yang (@ZeyiYang) July 3, 2022
"Five people confirmed all of the data, including case details that would be difficult to obtain from any source other than the police. Four more people confirmed basic information such as their names before hanging up," reported the Wall Street Journal.
The WSJ's reporter Karen Hao described the experience on Twitter:
I was truly stunned when the first person picked up—I really believed the whole thing to be fake. By the third, I was shaking—both from the nerves of trying to explain why I had their extremely private information and the weight of realizing what this leak could mean for so many.— Karen Hao 郝珂灵 (@_KarenHao) July 4, 2022
- China orders annual security reviews for all critical information infrastructure operators
- Millions of people's info stolen from MGM Resorts dumped on Telegram for free
- China puts continuous consent at the center of data protection law
- China finds and kills 42,000 counterfeit apps – many of them investment scams
While the Shanghai government and police department have largely been silent over the leak, social media platforms Weibo and WeChat were not – at least until Sunday afternoon when users on Weibo began experiencing data leak-related blocked hashtags.
On Monday, an unusual voice joined in the analysis of the event: Changpeng Zhao, the CEO of cryptocurrency exchange Binance.
"CZ" – as he's known – took to Twitter with the following:
Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on ...— CZ 🔶 Binance (@cz_binance) July 3, 2022
CZ's post came four days after HackerDan's so, while some facts matched, it was unclear if the CEO was referring to a different event.
He later tweeted again, this time alleging "this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials."
Whatever the source of the leak, it will mightily annoy China. The nation's government has recently prioritized personal data protection and critical infrastructure security. If the People's Police have mucked up on both counts, that will not go down well. ®