An anonymous hacker has claimed to have stolen data on as many as a billion Chinese residents after breaching a database from the Shanghai police, according to multiple reports. The incident, if real, would be “one of the biggest data breaches in the history,” said experts.
The anonymous Internet user, identified as ChinaDan, posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoins, equivalent to about $200,000.
"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many terabytes of data and information on billions of Chinese citizens," the post said.
"Databases contain information on 1 billion Chinese national residents and several billion case records, including: Name, address, birthplace, national ID number, mobile number, all crime and case details."
The Shanghai government and police department did not respond to requests for comment until now.
Yi Fu-Xian, a senior scientist at the University of Wisconsin-Madison, said that he had downloaded the sample data available on the internet and found information related to his home county in Hunan province.
“The data contained information about almost all the counties in China, and I have even discovered data related to a remote county in Tibet, where there are only a few thousand residents,” he told The Guardian, adding that the demographic trend extracted from the data “is worse than the officials have reported”.
The hashtag “Shanghai data leak” was blocked on Weibo and WeChat social media platforms. But users expressed shock and dismay on social media about this incident, with some saying they were now “transparent human beings”.
Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, said in a post on Twitter that it was "hard to parse truth from rumour mill".
"If the material the hacker claimed to have come from the Ministry of Public Security, it would be bad for "a number of reasons", Schaefer said, adding that most obviously it would be among biggest and worst breaches in history”.
Zhao Changpeng, CEO of Binance, also said that the cryptocurrency exchange had stepped up user verification processes after the exchange's threat intelligence detected the sale of records belonging to one billion residents of an Asian country on the dark web.
He said on Twitter that a leak could have happened due to "a bug in an Elastic Search deployment by a (government) agency", without saying if he was referring to the Shanghai police case. He did not immediately respond to a request for further comment.
Israeli cybersecurity firm, CheckPoint Research has claimed to find a variety of other China related databases offered for sale as well, such as a China Courier Database with 66 million records that were allegedly stolen from ShunFeng Express in 2020, as well as other databases from Chinese Driving Schools.
For this particular leak, Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software has warned that there is a high chance that cybercriminals may use this data for phishing and spear phishing attacks. "As this database also includes mobile numbers, we recommend organizations in China to be prepared for a possible wave of smishing attacks,” he added.
In fact, China has in recent years seen a number of data leak incidents. In 2016, sensitive information about influential people, including the founder of Alibaba, Jack Ma, was posted on Twitter.
The claim of a hack comes as the country has vowed to improve protection of online user data privacy, commanding tech giants to ensure safer storage after public complaints about mismanagement and misuse. Last year, China passed laws governing how personal information and data generated within its borders should be handled.