A hacker named ChinaDan claims to have collected a trove of personal information from Shanghai police on a billion Chinese citizens, which tech experts say, if true, would be one of a series of breaches. Biggest data in history.
The anonymous internet user, identified as “ChinaDan,” posted on hacker forum Breach Forums last week offering to sell more than 23 terabytes (TB) of data for 10 bitcoins, or about $200,000.
“In 2022, the database of the Shanghai National Police (SHGA) was leaked. This database contains many TBs of data and information about Billions of Chinese citizens, ChinaDan said.
“The database contains information about 1 Billion residents of Chinese nationality and billions of case records, including: name, address, place of birth, national ID number, mobile phone number, all details of the offence.” Cybersecurity experts have verified that some of the citizen data in the sample is correct, but it is difficult to determine the extent of the entire database.
The government has kept quiet on the matter. The Cybersecurity Administration of China did not respond to a request through the comment feature. The Shanghai Public Security Bureau declined to answer questions about the database.
The government’s refusal to acknowledge a data leak is contrary to practice in other countries, with companies and government agencies generally obligated to alert affected users if their information leaked.
Troia and another researcher named Bob Diachenko, the owner of SecurityDiscovery.com, a cybersecurity consulting firm, said the data in Shanghai had long been stored on a private internal network. However, the communication port between the programmer and the database was not password protected.
According to Troia, he had access to this database in December or January, and was impressed with the huge capacity. Troia downloaded and reviewed some sample data of the files at the time.
Mr. Diachenko said his team determined that the database was accessible from April this year until mid-June when someone copied and destroyed the data and left a ransom note asking for it. required 10 Bitcoins, current value around $200,000, to recover the information. Security researchers say bad actors often take over exposed databases and try to blackmail data owners with ransom demands.
It’s not clear if anyone paid and downloaded the entire database.
Security researchers say the huge amount of personal information in the databases of Shanghai residents could put individuals exposed to the risk of blackmail, extortion or fraud.
“The more complete your profile of a person, the more dangerous it is,” said Mr. “The possibilities are endless.”