The data of nearly 1 billion people in China was leaked, and they’ve been online for more than a year
Cyber security experts say the leak may be one of the largest in history, highlighting the dangers of collecting and storing vast amounts of sensitive personal data online — particularly in a country where authorities have extensive and unmonitored access to such data.
The vast amount of Chinese personal data has been accessed to the public via what appeared to be an insecure backlink — a shortened web address that provides unrestricted access to anyone familiar with it — since at least April 2021, according to LeakIX, that discovers and indexes exposed online databases.
Access to the database, which does not require a password, has been shut down after an anonymous user announced more than 23 terabytes (TB) of data for sale for 10 bitcoin – nearly $200,000 – in a post on a hacker’s forum last Thursday.
The user claimed that the database was compiled by Shanghai police and contained sensitive information on one billion Chinese citizens, including their names, addresses, mobile phone numbers, national identification numbers, ages and places of birth, as well as billions of phone call records made to police to report civil disputes and crimes.
A sample of 750,000 data entries from the three main indexes of the database are included in the vendor’s publication. CNN validated more than twenty entries from the sample provided by the vendor, but was unable to access the original database.
The Shanghai government and police department did not respond to CNN’s repeated written requests for comment.
The seller also claimed that the unlocked database was hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. In a statement to CNN, Alibaba said it was aware of the incident and was investigating it.
But the experts CNN spoke with said the data subject was at fault, not the company hosting it.
“As it stands today, I think this will be the biggest leak of public information to date — certainly in terms of breadth of influence in China, we’re talking about most of the population here,” said Troy Hunt, a Microsoft expert. Regional Director in Australia.
China has a population of 1.4 billion people, which means that a data breach could affect more than 70% of the population.
“It’s a little case where the genie won’t be able to get back into the bottle,” Hunt said. “Once the data is what it looks like now, there’s no going back.”
It is unclear how many people have accessed or downloaded the database in the 14 or more months that it was left publicly available online. Two Western cybersecurity experts who spoke to CNN were aware of the database’s existence before it was brought into the spotlight last year, suggesting that it could easily be discovered by people who know where to look.
Vinnie Troia, a cybersecurity researcher and founder of dark web intelligence firm Shadowbyte, said he first discovered the database “around January” while researching open databases on the Internet.
“The site I found it on is public, anyone can access it, and all you have to do is sign up for an account,” Troia said. “Since it opened in April 2021, any number of people could download the data,” he added.
Troya said he downloaded one of the database’s main indexes, which appears to contain information on nearly 970 million Chinese citizens.
Troia said it was difficult to judge for sure whether open access was oversight from the database owners, or if it was an intentional shortcut meant to be shared among a small number of people.
“Either they forgot about it or they deliberately left it open because it is easy for them to access,” he said, referring to the authorities responsible for the database. “I don’t know why they do that. It seems so careless.”
Unsecured personal data — exposed through leaks, hacks, or some form of inefficiency — is an increasingly common problem faced by businesses and governments around the world, and cybersecurity experts say it’s not unusual to find databases left open to public access.
Cybersecurity researchers say the recent data leak is particularly worrying, not only because of its potentially unprecedented scale, but also because of the sensitive nature of the incoming information.
CNN’s analysis of the database sample found police records of cases spanning nearly two decades from 2001 to 2019. While the majority of entries are civil disputes, there are also records of criminal cases ranging from fraud to rape.
In one case, a Shanghai resident in 2018 summoned by police for using a virtual private network (VPN) to evade China’s firewall and access Twitter, allegedly retweeted “reactionary notes involving the (Communist) party, politics and leaders.”
In another record, a mother called the police in 2010, accusing her father-in-law of raping her 3-year-old daughter.
“There can be domestic violence, child abuse, all sorts of things out there, and that to me is a lot more concerning,” said Hunt, Microsoft’s regional director.
“Can this lead to extortion? We often see extortion of individuals after data leaks, examples where hackers can even try to ransom individuals.”
Bob Dyachenko, a security researcher based in Ukraine, first accessed the database in April. In mid-June, his company discovered that the database had been attacked by an unknown malicious actor, who destroyed and copied the data and left a ransom note demanding 10 bitcoins for its recovery, Dyachenko said.
It is not clear if this was the work of the same person who announced the sale of the database information last week.
By July 1, the ransom note was gone, according to Diachenko, but only 7 GB of data was available – instead of the 23 TB originally announced.
Dyachenko said she indicated that the ransom was resolved, but that database owners continued to use the exposed database for storage, until it was shut down over the weekend.
“Maybe there was a junior developer who noticed this and tried to remove the notes before senior management noticed,” he said.
Shanghai police did not respond to CNN’s request for comment on the ransom note.