One billion Chinese personal data, online for more than a year
In a hacker forum last week, an anonymous member offered to sell the personal information of up to a billion Chinese residents, bringing the database’s existence into the public eye for the first time in a year and a half.
Cybersecurity experts say the leak could be the largest ever recorded, illustrating the dangers of gathering and keeping large amounts of sensitive personal data online, particularly in countries where authorities have broad and unfettered access to such data.
Since at least April 2021, LeakIX, a site that monitors and indexes publicly accessible databases, had discovered a backdoor link that allowed uncontrolled access to the massive collection of Chinese personal information.
In a post on a hacker site last Thursday, it was shut down after an anonymous user advertised the database of more than 23 TB of data for sale for ten bitcoin, which is nearly $200,000. Access to the database did not require a password.
In the user’s opinion, the database was compiled by the Shanghai police. It contained sensitive information of one billion Chinese citizens, including their names and addresses as well as their mobile phone numbers, national ID numbers, ages, and birthplaces.
The seller included a sample of 750,000 data entries from the database’s three primary indexes in his ad. An example provided by the seller was authenticated by CNN, but they were unable to get access to the original database.
According to CNN’s written inquiries, neither the city of Shanghai nor its police department has responded.
The seller further stated that Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba, held a database that was inaccessible to the public. Alibaba said, “we are looking into this” and would relay any updates when reached by CNN on Monday. Earlier this week, Alibaba stated that it would not be commenting.
Related Posts
CNN spoke to experts who argued the data owner was responsible, not the hosting company.
Microsoft regional director based in Australia, Troy Hunt, shared these sentiments “as it stands today, I believe this would be the largest leak of public information yet — certainly, in terms of the breadth of the impact in China, we’re talking about most of the population here.”
More than 70% of China’s 1.4 billion people are at risk if their personal information is compromised.
In the 14 months or so that the database was available online, it’s not clear how many people visited or downloaded it. According to two Western cybersecurity experts interviewed by CNN, the database existed before it was made public last week, implying that anyone who knew where to go might have found it before it became general knowledge.
Cybersecurity expert Vinny Troia initially came upon it “around January” when he was hunting for open datasets on the internet.
One of the database’s key indexes, which Troia claims contain information on approximately 970 million Chinese residents, was downloaded. As for whether the database owners made an error in allowing open access or if it was a purposeful shortcut to be shared with a small group of people, it was difficult to tell, he said.
Troia added that “the site that I found it on is public, anybody (could) access it, all you have to do is register for an account since it was opened in April 2021, any number of people could have downloaded the data.”
Personal data leaks, breaches, or negligence are becoming more widespread, and cybersecurity experts say it’s not rare to uncover publicly available databases.