Breach Notification , Cybercrime , Cyberwarfare / Nation-State Attacks

Unknown Hacker Steals Data of 1 Billion Chinese Citizens

Data Has Been Put on Sale for 10 Bitcoin, Equivalent to About $200,000
Unknown Hacker Steals Data of 1 Billion Chinese Citizens

A misconfigured Alibaba private cloud server has led to the leak of around 1 billion Chinese nationals' personal details. An unknown hacker, identified as "ChinaDan," posted an advertisement on a hacker forum selling 23 terabytes of data for 10 bitcoin, equivalent to about $200,000.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

Touted as one of the largest data breaches in history, the data was allegedly stolen from the Shanghai National Police database, which contains Chinese nationals' personal details, including names, home addresses, criminal records, and ID and phones numbers.

"Our threat intelligence detected 1 billion resident records for sale in the dark web, including name, address, national id, mobile, police and medical records from one Asian country. Likely due to a bug in an Elastic Search deployment by a gov agency," says a Tweet by Changpeng Zhao, founder and chief executive officer of cryptocurrency exchange Binance. "This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc."

Information Security Media Group could not confirm the authenticity of the data leaked.

A report from Bleeping Computer, however, claims that ChinaDan also shared a sample with 750,000 records containing ID information and police call records. It says that this sample allows interested buyers to verify the data.

"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizens," says the threat actor in their post on Breach Forums, a marketplace that hackers and threat actors use to buy and sell data.

Chinese Regulation

Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, says on Twitter that China's Personal Information Protection Law, which came out late last year, requires government bodies to protect the information of citizens.

"It's hard to parse truth from rumor mill, but can confirm file exists. If the source is indeed MPS, that would be, erm... bad, for a number of reasons. Most obviously, it would be among biggest and worst breaches in history," Schaefer tweeted.

Schaefer also says that the records allegedly contain details on case files of minors, which would be a violation of the Minor Protection Law.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.asia, you agree to our use of cookies.