New China Leak? Hacker claims to have captured data of 48.5 million COVID app users from Shanghai

[German]Is there a new data leak in China that has captured personal data of millions of people? A hacker has claimed to have obtained the personal data of 48.5 million users of a COVID mobile health code app operated by the city of Shanghai. Joins a chain of other data breaches.

China has extensive digital control of its citizens and collects data like a world champion. But securing that data is arguably rather bumbling. As recently as July, in the blog post Hacker sells 1 billion personal data from Shanghai police data base for 10 bitcoins, I reported on a huge hack of the Shanghai city police database. It later came out that their database was accessible via the Internet without password protection. In May, there was the Xinjian police files incident (see Xinjiang Police Files: Geleakte Polizeiakten zeigen Details aus uigurischen Internierungslagern). Now there is the next incident, pointed out by Reuters Asia in the following tweet.

During the COVID 19 outbreaks, entire cities with millions of inhabitants went into lockdown and the citizens had to identify themselves as Corona-free with tests and apps. In Shanghai, there was a mobile app for this purpose. A hacker has claimed to have obtained the personal data of 48.5 million users of a COVID health code mobile app operated by the city of Shanghai.

The hacker (pseudonym XJP) sold the data for $4,000 last Wednesday through the hacker forum Breach Forums, according to this Reuters report. There, the hacker also provided a sample of the data. The records included the phone numbers, names and Chinese identification numbers and health code status of 47 people.

Reuters was able to reach the 47 people and 11 confirmed that they were included in the sample with their data. However, in the case of two people, their identification numbers were incorrect (the authorities had probably stored incorrect entries). "This DB (database) contains everyone who lives in Shanghai or has visited Shanghai since the launch of Suishenma," the hacker XJP wrote in his posting. Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people, like many other cities in China, introduced in early 2020 to combat the spread of COVID-19. All residents and visitors must use it. Originally, the hacker charged $4,850 before the price was later lowered.