China’s trouble with the largest data leak in its history

Dubbed as one of the biggest data breaches in history, the data of one billion Chinese citizens were exposed for more than a year.
7 July 2022

VMware: The rise and rise of deepfakes, cyber extortion, and attacks on APIs (Source – Shutterstock)

  • The massive trove of data collated by the Shanghai police in China was stolen, left unsecured and publicly accessible for more than a year.
  • An anonymous user in a hacker forum offered to sell the 23TB data for 10 bitcoin.
  • The seller also claimed the unsecured database had been hosted by Alibaba Cloud.

China, alongside Russia, has long been identified as one of the world’s biggest sources of cybercriminals. There are reports out there that reckon the country is responsible for a goodly proportion of cyber attacks globally. In fact, according to the US, who has been naming and shaming China online espionage for over a decade, claims China has transformed into a far more sophisticated and mature digital adversary than it was a decade ago.

Ironically, while news of cyber attacks allegedly instigated by the Chinese government is almost commonplace in recent years, Chinese domestic breaches are rarely disclosed. That was until recently, when an anonymous internet user, known as “ChinaDan”, posted on hacker site Breach Forums last week offered to sell more than 23 terabytes (TB) of data for 10 bitcoin , equivalent to about US$200,000.

The 23TB represents the personal data of one billion Chinese citizens stolen from the Shanghai National police (SHGA) database. According to LeakIX, a site that detects and indexes exposed databases online, the vast trove of Chinese personal data had been publicly accessible via what appeared to be an unsecured backdoor link since at least April 2021. The anonymous posting simply made it known to the wider hacker community. A backdoor link is basically an unprotected IP address that offers unrestricted access to anyone who stumbles upon it.

In some cases, copies of entire databases can be dumped and forgotten about by time-poor administrators and developers. In this case the fact that few seemed to notice the data was there points to accident rather than design, although, of course, we are merely hypothesizing.

Yet for context, China is home to 1.4 billion people, which means the data breach could potentially affect more than 70% of the population. The post by ChinaDan suggests that those databases contain Chinese national residents’ names, addresses, national ID numbers, several billion criminal records, and contact information numbers. 

ChinaDan shared a sample that contained 750,000 records which would allow interested buyers to verify the information. When the anonymous user advertised the data for sale last Thursday, access to the database, which did not require a password, was shut down. Interestingly, ChinaDan also claimed that data was exfiltrated from a local private cloud provided by Aliyun (Alibaba Cloud), part of the Chinese police network (public security network).

Screenshot of the data leak. (Source - Acronis)

Screenshot of the data leak. (Source – Acronis)

Although Alibaba has yet to make any official comment, experts reckon that it doesn’t necessarily mean the cloud giant is responsible for the data breach. Instead, Alibaba is merely the host. What is however uncertain is how many people have accessed or downloaded the database during the 14 months or more it was left publicly available. 

In a report by CNN, two Western cybersecurity experts were quoted saying they were aware of the existence of the database before it was thrust into the public spotlight last week, suggesting it could be easily discovered by people who knew where to look. Even crypto exchange Binance’s founder and CEO Zhao Changpeng tweeted just before the news broke that the company had detected the breach of a billion resident records “from one Asian country,” without specifying which, and the site has since increased verification procedures for potentially affected users.

Prior to this incident, in 2016, personal information on dozens of Communist Party officials and industry figures from Jack Ma to Wang Jianlin was said to have been exposed on Twitter, one of the country’s biggest online leaks of sensitive information at the time. Then, in 2020, the Twitter-like service Weibo Corp. said hackers claimed to have stolen account information for more than 538 million of its users, though sensitive data such as passwords was not leaked. 

Then this year, tens of thousands of seemingly hacked files from China’s remote Xinjiang region provided fresh evidence of the abuse of mostly Muslim ethnic Uyghurs, according to human rights groups. Perhaps this, the most recent and biggest incident yet, highlights the challenges facing Beijing as it collects data on hundreds of millions of people while tightening policing of sensitive online content. 

Under the Chinese jurisdiction, exposure of personal information can actually result in jail terms. To this point, it is left to be seen what action the Chinese authorities are taking over this large-scale data leak that has garnered global attention.