[German]US media report that a hacker is currently trying to sell a 23 terabyte data set for the price of 10 bitcoins (around 195,000 euros). The dataset is said to contain 1 billion personal data of the population from a police database of the Chinese city of Shanghai.
Advertising
I became aware of the facts made public by The Guardian (for instance) yesterday via some tweets.
The data is said to have come from the Shanghai police database. The anonymous hacker with the alias ChinaDan posted the offer last week on the hacker forum Breach Forums and wrote:
In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizens.
The databases contain information on 1 billion Chinese citizens and several billion case records including: name, address, place of birth, national ID number, cell phone number, all details of crimes and cases.
The Guardian tried to verify this, but probably did not succeed – the phone numbers listed in the database were no longer in use when the editors tried to call them. Officials in China have not commented on the alleged data hack as of yesterday, July 4, 2022. ChinaDan's post was heavily discussed on Chinese social media platforms Weibo and WeChat over the weekend, with many users fearing it could be genuine.
China has experienced a number of data leaks in recent years, writes The Guardian. In 2016, sensitive information about influential Chinese figures, including Alibaba founder Jack Ma, was published on Twitter.
Advertising
Yi Fu-Xian, a senior researcher at the University of Wisconsin-Madison, is quoted by The Guardian as saying that he downloaded sampling data available on the Internet and found information about his home county in Hunan province. "The data contained information on almost all counties in China, and I even discovered data on a remote county in Tibet where only a few thousand people live," he said, adding that the demographic trends identified from the data "are worse than reported by the authorities."
It seems that ubiquitous surveillance is now falling on China's toes. In any case, these incidents alarmed Chinese authorities. Last year, China passed laws regulating the handling of personal information and data generated within its borders. In any case, the hashtag "Shanghai data leak" was blocked on Weibo on Sunday afternoon. Some Chinese users have apparently realized how transparent people are in China.
No database password protection
Brief addendum: Meanwhile, it turns out that the "hack" did not really require a hack. Rather, the Shanghai police database was openly available on the Internet for more than a year. The Wallstreet Journal reports (citing its own sources) in this July 14, 2022 piece that executives from Alibaba Group Holding's cloud division were summoned for talks by Shanghai authorities in connection with the theft of a huge police database.
According to cybersecurity researchers, a dashboard for managing the database was accessible on the public Internet for more than a year without a password, so the content could be easily stolen and deleted. It is even reported that there was also no way to set a password to secure the database.
From the scans of the leaked database, security researchers concluded that it was hosted on Alibaba's cloud platform. Employees of the company also confirmed this connection.
Meanwhile, Alibaba employees have blocked access to the database and are in the process of reviewing the code of the cloud environment in question. Two cybersecurity firms told the Wall Street Journal that the stolen data was stored in Alibaba's cloud using technology that was several years out of date and lacked basic security features. The company's share price fell 5.98% since June 13, 2022 (which is when the first rumors of the problem surfaced) Reuters reports in this article.
