How data on a billion people may have leaked from a Chinese police dashboard

Details have emerged on how more than a billion personal records were stolen in China and put up for sale on the dark web, and it all boils down to a unprotected online dashboard that left the data open to anyone who could find it.

More than 23TB of details apparently stolen from the Shanghai police was put up for sale on the underground Breach Forums by someone with the handle ChinaDan for 10 Bitcoin ($215,000 at time of writing). The data collection included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records.

Wall Street Journal reporters were able to confirm at least some of the sample records, made available for free, were valid by calling the victims and confirming their personal details. However, it is still unknown if the entire database is legit.

Quick to jump in, Binance CEO Changpeng Zhao stated on Twitter the data was swiped after a government developer wrote a blog post on the Chinese Software Developer Network that, presumably accidentally, included the credentials necessary to access the information.

But according to cybersecurity experts, this may not be correct. Instead, the data was exposed to the world from a non-password-protected web dashboard. And that public-facing Kibana-powered site had been left open since the end of 2020, according to LeakIX, a website that tracks exposed databases online.

Open-source Kibana is used all around the world to view and manage Elasticsearch clusters. "The service leaking the data was an unprotected Kibana instance running on port 5601, the default Kibana port," LeakIX claimed. If that's correct, it means if anyone scanned the internet for public-facing Kibana deployments, they would have eventually found this one in China.

We're told the service was running on a .kibana.elasticsearch.aliyuncs.com domain. "This is the default Kibana endpoint exposed by Alibaba when an Elasticsearch service is deployed on a public network," the researchers wrote.

Furthermore, we're told, Alibaba Cloud documentation shows that "exposure of the endpoint to a public network will happen by default." It also said "a default username and password (elastic/elastic) will be assigned to the Elasticsearch cluster."

Now it all seems to click into place. If LeakIX is correct, the thief may have pulled the data from the unprotected public-facing Kibana instance or from the underlying public Elasticsearch cluster that Kibana provided a web interface for. The exposed Elasticsearch cluster's version, 5.5.3, is a legacy version "which did not support authentication out of the box and required a paid license or a third-party authentication plugin to enable it," LeakIX wrote, adding that there was no evidence this security defense was enabled.

The team added: "On the 1st of July, Alibaba made private or shut down all the Kibana servers running 5.5.3."

There is no indication that anyone other than the techie who set up this deployment was at fault for this security lapse. The software was hosted on Alibaba, and we have asked the cloud giant for its take on events.

• AWS and Elasticsearch settle trademark infringement lawsuit
• Billion-record stolen Chinese database for sale on breach forum
• And just like that, Amazon Web Services forked Elasticsearch, Kibana. Was that part of the plan, Elastic?
• Someone may be prepping an NPM crypto-mining spree

Bob Diachenko, owner of infosec research firm SecurityDiscovery, confirmed to The Register that his findings married up with that of LeakIX. Diachenko's company automatically detected the cluster on the open internet in April, we're told, and made a note of the database indices, though it did not inspect the content. When free samples of the stolen data were made available, Diachenko was able to link references to indices in those samples to Elasticsearch indices logged by his systems earlier.

"We constantly monitor exposures and misconfiguration on the internet, however, we do not actively look into Chinese IPs," Diachenko told The Register.

"When I learned about the leak and studied the samples shared by a threat actor on an underground forum, I realized this data originated from an Elasticsearch Kibana system, due to the names of the indices. I searched our internal reports and was able to confirm an exact match of the indices names."

According to Diachenko, the cluster was ransacked by someone around mid-June who destroyed the data, leaving a ransom note demanding 10 BTC in its place. He issued the following advice via Twitter:

Do not ignore security alerts shown by Elastic when Kibana has its security features disabled. https://t.co/03zIV1DWDw pic.twitter.com/7vYwJcEDfr

— Bob Diachenko (@MayhemDayOne) July 6, 2022

The leak is believed to be one of the largest in history. Beijing has not officially recognized its existence. However, a meeting of the State Council presided over by Li Keqiang on Wednesday emphasized information security.

"All kinds of acts that infringe on the lawful rights and interests of individuals and enterprises, such as the illegal use of information and the abuse of information, should be seriously investigated and dealt with in accordance with laws and regulations," state-sponsored media wrote of the meeting takeaways. ®