Shanghai police data goes public: Possibly one of the ‘largest data breaches in history’
A hacker stole private data from Shanghai police and then attempted to sell the sensitive information of 1 billion Chinese citizens
An anonymous user of Breach Forums, a website dedicated to discussions on hacking and cybersecurity, claims to have obtained information on nearly 1 billion Chinese citizens. If legitimate, this would be one of the largest data breaches in history, according to The Washington Post.
The user behind the profile ‘HackerDan’ stated they sourced the information from a leak in the Shanghai National Police database, and is selling the names, addresses, mobile numbers, all criminal records, national ID numbers and more for 10 bitcoin (or around $200,000 in U.S. dollars). ‘HackerDan’ also provided a sample of the data; around 250,000 records.
The sample data provided contains criminal reports on citizens from 1995 to 2019. The Deseret News was able to retrieve these sample files, which had detailed case reports from police encounters. Teams from The Wall Street Journal and The New York Times were able to call individuals from the sample data and verify names, police encounters, addresses and more.
I was truly stunned when the first person picked up—I really believed the whole thing to be fake. By the third, I was shaking—both from the nerves of trying to explain why I had their extremely private information and the weight of realizing what this leak could mean for so many.— Karen Hao 郝珂灵 (@_KarenHao) July 4, 2022
CNN reports that the leak was publicly accessible since April 2021 via “a shortcut web address that offers unrestricted access to anyone with knowledge of it.” The data breach only came to the attention of authorities after ‘HackerDan’ posted the information for sale.
The CEO of Binance, Changpeng Zhao, tweeted that its company detected the leak, and blamed it on “a bug in an Elastic Search deployment by a gov agency.”
Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on ...— CZ 🔶 Binance (@cz_binance) July 3, 2022
Chinese police have been silent on the matter, and have actively silenced those speaking on the subject. The hashtag “data leak” was blocked on Weibo, the Chinese social media platform, by Sunday afternoon, per Reuters. Other Weibo accounts have been suspended, and some have been asked to “visit the police station for a chat,” according to The New York Times.
According to CNN, a security researcher in Ukraine, Bob Diachenko, found the database in April, and in June he became aware of an attack on the site, copying and deleting the data, and leaving a ransom note asking for 10 bitcoin.
Is not confirmed whether this was the same person who is now selling the data, but at the beginning of July, the ransom note was gone and only 7 gigabytes of data was present. This could indicate, according to Diachenko, that the ransom was “resolved” but the owners of the database “continued to use the exposed database for storing.” This was until the site was shut down this past weekend.
China passed data privacy laws in 2021 in the wake of other significant data breaches, to prevent this kind of mismanagement and improve the data privacy of its citizens, per Reuters.