Breach Notification , Cybercrime , Cyberwarfare / Nation-State Attacks
Unknown Hacker Steals Data of 1 Billion Chinese Citizens
Data Has Been Put on Sale for 10 Bitcoin, Equivalent to About $200,000A misconfigured Alibaba private cloud server has led to the leak of around 1 billion Chinese nationals' personal details. An unknown hacker, identified as "ChinaDan," posted an advertisement on a hacker forum selling 23 terabytes of data for 10 bitcoin, equivalent to about $200,000.
See Also: Gartner Guide for Digital Forensics and Incident Response
Touted as one of the largest data breaches in history, the data was allegedly stolen from the Shanghai National Police database, which contains Chinese nationals' personal details, including names, home addresses, criminal records, and ID and phones numbers.
"Our threat intelligence detected 1 billion resident records for sale in the dark web, including name, address, national id, mobile, police and medical records from one Asian country. Likely due to a bug in an Elastic Search deployment by a gov agency," says a Tweet by Changpeng Zhao, founder and chief executive officer of cryptocurrency exchange Binance. "This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc."
Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on ...
— Binance (@cz_binance) July 3, 2022
Information Security Media Group could not confirm the authenticity of the data leaked.
A report from Bleeping Computer, however, claims that ChinaDan also shared a sample with 750,000 records containing ID information and police call records. It says that this sample allows interested buyers to verify the data.
"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizens," says the threat actor in their post on Breach Forums, a marketplace that hackers and threat actors use to buy and sell data.
Chinese Regulation
Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, says on Twitter that China's Personal Information Protection Law, which came out late last year, requires government bodies to protect the information of citizens.
"It's hard to parse truth from rumor mill, but can confirm file exists. If the source is indeed MPS, that would be, erm... bad, for a number of reasons. Most obviously, it would be among biggest and worst breaches in history," Schaefer tweeted.
Schaefer also says that the records allegedly contain details on case files of minors, which would be a violation of the Minor Protection Law.
If you're not following this, you should be: word on the social media street is that China's police force (MPS - Shanghai) database was hacked, with the personal information and case records of 1 billion citizens, and the records are for sale on Telegram - 23TB of data. 1/7 https://t.co/a59KB8JBHF
— Kendra Schaefer 凯娜 (@kendraschaefer) July 4, 2022