Support our mission
In a post last week on an underground hacker forum, an anonymous poster or a group advertised the availability of the data and released a sample, which purportedly contained 750,000 records. The asking price for the complete, 23-terabyte database was 10 bitcoin, or around $200,000. The post has since been locked by the site.

In a post last week on an underground hacker forum, an anonymous poster or a group advertised the availability of the data and released a sample, which purportedly contained 750,000 records. The asking price for the complete, 23-terabyte database was 10 bitcoin, or around $200,000. The post has since been locked by the site. (Chris Ratcliffe/Bloomberg)

Hackers say they’ve breached the data of 1 billion Chinese citizens from a Shanghai police database and offered it for sale, a leak that, if confirmed, would be one of the largest exposures of personal information in history.

In a post last week on an underground hacker forum, an anonymous poster or a group advertised the availability of the data and released a sample, which purportedly contained 750,000 records. The asking price for the complete, 23-terabyte database was 10 bitcoin, or around $200,000. The post has since been locked by the site.

The data included names, national identification and phone numbers, medical records, a summary of incidents reported to the police and other information. While the authenticity of the full database had not been confirmed, a review of some ID numbers appeared to track with information found on a government website.

The apparent hackers said that there were several billion case reports — from thefts to fights to domestic violence, dated between late 1990s to 2019 — and 1 billion records of Chinese citizens’ personal information. If true, the database would cover more than 70% of China’s 1.4 billion residents. The personal information and reported incidents were contained in separate files.

The breach came after China’s Personal Information Protection Law took effect last year, which imposed stringent security safeguards on corporate and government entities that handle personal information. The law was passed after Chinese regulators ordered more than 40 companies to change their operations after violating data transfer rules, Reuters reported.

Kendra Schaefer, the head of tech policy research at China-focused research team Trivium China, said in a Twitter post Monday that the incident was the first major public breach by a government body under the new law. “So it’s unclear who holds who accountable,” she said, because the Ministry of Public Security (MSP) would typically oversee cybercrime investigations.

“The records also allegedly contain details on case files of minors,” Schaefer said. “So that would be a violation of the Minor Protection Law.” She raised the possibility that the data contained information of celebrities or officials.

In the released sample data set, certain information was associated with individuals listed under the “seven categories of key people,” a reference to individuals monitored by MSP for suspected criminal activity.

State departments, the Shanghai government and the Shanghai police department did not respond to requests for comment.

However, it’s also possible the files had been online before the law became effective — it only received public attention after the alleged hacker released it online. Cybersecurity researcher Vinny Troia told CNN that he was made aware of the database in January on a public site, which was opened in April 2021, meaning anyone could have accessed the database since then.

There’s also speculation government staff accidentally included the credentials necessary to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, the chief executive of the cryptocurrency exchange company Binance, referenced the theory in a tweet on Monday. He said that the company had “already stepped up verifications” for users who were potentially affected.

The unnamed poster claimed that the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers affiliated with big tech companies, like AliCloud, typically built the digital infrastructure for government agencies.

Web security consultant Troy Hunt told the Wall Street Journal that the anonymity of the person who offered the sale, as well as the size of the database, raised questions over its accuracy.

It was not the first time Chinese police records have been leaked. Earlier this year, a researcher obtained a cache of documents from Xinjiang Police, which detailed draconian surveillance and reeducation practices in the region and shed lights on Beijing’s crackdown on the Uyghur population.


Stripes in 7



around the web


Sign Up for Daily Headlines

Sign-up to receive a daily email of today’s top military news stories from Stars and Stripes and top news outlets from around the world.

Sign up