The private data for 1 billion Chinese citizens was briefly put up for sale on a hacking forum, which would represent the largest leak of personal data in history. The post offering the database for sale seems to have been removed from the Breach Forum pages, which could either suggest that it was completely bogus or dangerously true.
The files were allegedly retrieved from the Shanghai National Police archive and, as well as containing the personal information of 1 billion residents, it also contained several billion individual case files.
According to the original post, archived by HotHardware (opens in new tab), the data included those individuals’ names, addresses, birthdays, ID numbers, details of any criminal activity, and their phone numbers.
That last is important potential evidence of the veracity of the data on offer. Two Wall Street Journal (opens in new tab) writers, Karen Hao and Rachel Liang, spent time calling around Chinese nationals listed in a download sample of 750,000 records that the hacker put up on the forum as proof. The journalists downloaded the sample and called a bunch of the phone numbers expecting them to be fake.
“We are all running naked,” said one of the victims when called and confronted with the leak of his personal data; a popular slang phrase used in China for a noted lack of privacy.
Of the dozens they called “nine picked up and confirmed exactly what the data said,” writes Hao on Twitter.
A hacker is selling an alleged 1 billion Chinese citizens’ information stolen from Shanghai police. @rachelliang5602 & I downloaded the sample the hacker provided and called dozens of people listed. Nine picked up & confirmed exactly what the data said. https://t.co/X0VhJaWjvbJuly 4, 2022
“I was truly stunned when the first person picked up—I really believed the whole thing to be fake. By the third, I was shaking—both from the nerves of trying to explain why I had their extremely private information and the weight of realizing what this leak could mean for so many.”
Hao and Liang note that several of the numbers they tried calling were either invalid or no longer in service, but that mobile phone users in China are more likely to change their numbers every few years than in other countries.
The database was up for sale for the paltry sum of 10 bitcoin, which translates to around $200,000 at the moment, which isn’t that much for the biggest data breach of all time.
The WSJ report notes that Zhao Changpeng, CEO of crypto exchange, Binance, tweeted that its threat intelligence had detected the sale on “the dark web” and was improving its own security as a result.
Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials. 1 billion records of private citizens’ data. 😭 https://t.co/vPISm534Tn pic.twitter.com/FpMCGrpx08July 4, 2022
Zhao followed up detailing that the source of the hack could have come from a government developer writing on a tech blog and accidentally revealing the credentials of the database in published lines of code back in 2020.
Following this leak another posting, supposedly by a policeman in China, on Breach Forums promises further police database dumps “inspired by the recent Shanghai event” with an initial 2016 database posted as a “meeting gift.”
Breach Forum is the spiritual successor to RaidForums, which was taken down in a joint international operation (opens in new tab) where the site’s founder and main admin, Diogo Santos Coelho, was arrested and charged in the UK.