In what could be the largest data breach in history, hackers claim to have cracked into a Shanghai National Police database and stolen data on 1 billion Chinese citizens.
Through a post on the online hacking forum Breach Forums last week, someone using the handle “ChinaDan” offered to sell the nearly 24 terabytes of stolen data for 10 Bitcoin, worth approximately $200,000. The user claimed they possessed information on 1 billion people, including minors, and “several billion case records.”
A sample of data seen by the Associated Press listed names, birthdates, ages, and mobile numbers. AP said it could not yet verify the authenticity of the data samples.
Kendra Schaefer, a partner for technology at policy research firm Trivium China, said in a tweet that it is “hard to parse truth from the rumor mill, but can confirm file exists.”
Chester Wisniewski, a principal research scientist at cybersecurity firm Sophos, said once hackers get data and put it online, it is impossible to remove entirely.
Most of the hacked data is what advertising companies that run banner ads would have, said Wisniewski, so the information is much less interesting since it is not about where they traveled, who they communicated with, or what they were doing.
However, “if someone believes their information was part of this attack, they have to assume it’s forever available to anyone, and they should be taking precautions to protect themselves,” he added.
The data leak sparked significant discussion on the popular Chinese social media platform Weibo, according to AP.
“Everyone, please be careful in case there are more phone scams in the future!” one person said in a Weibo post. Another person commented that the leak means everyone is “running naked” — a metaphor referring to a lack of privacy — which they called “horrifying.”
Chinese state censors have since blocked keyword searches for “Shanghai data leak.”
Michael Gazeley, managing director at Hong Kong-based security firm Network Box, said such data leaks are relatively common.
“There are approximately 12 billion compromised accounts posted on the Dark Web right now. That’s more than the total number of people in the world,” he said, adding that most data leaks often come from the U.S.
In 2020, a major cyber attack compromised several U.S. federal agencies, including the State Department, the Department of Homeland Security, telecommunications firms, and defense contractors.
