This article was originally published by Radio Free Asia and is reprinted with permission.
A hacker has claimed to be selling the personal data of 1 billion Chinese nationals leaked from a Shanghai police database, according to a post by user “ChinaDan” on the hacker forum Breach Forums that was widely shared on Telegram.
If the claim is true, the data leak would be one of the biggest in history, Reuters cited tech experts as saying.
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen,” the post said.
“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
The post had sparked widespread discussion on China’s tightly controlled social media platforms, and censors had blocked the hashtag #dataleak from Weibo by Sunday afternoon, the agency said.
The data breach was also referenced by rights activist Fu Xianyi on Twitter, who said the leak was from the “Shanghai public security database,” meaning the police.
Cryptocurrency business founder Zhao Changpeng also referred to a data leak involving one billion people’s personal details in an Asian country being up for sale on the dark web.
An online security expert who gave only the surname Chang said he believed the reports were genuine, as he had known of the database’s vulnerability before the report emerged.
“The information coming out now is true,” Chang said.
“There is a high probability that it was leaked last year but is only now being sold,” he told RFA. “The Shanghai authorities are investigating Gong Daoan, a police chief who was fired last year, so perhaps it’s related.”
“Most likely it was leaked from Alibaba Cloud.”
Major data dump
Chang said the data was linked to host oss-cn-shanghai-shga-d01-a.ops.ga.sh, which is a Shanghai police local area network (LAN) that is physically isolated from the internet, using private services from Alibaba Cloud.
The breach is likely the biggest to hit China since Communist Party (CCP) rule began in 1949.
“The data is linked to one billion people, with everything there,” Chang said. “I saw on Twitter that some people have already started analyzing the population decline, telecom fraud or other research based on the data.”
“A lot of people have downloaded some part of it.”
The data dump reportedly includes ID card and phone numbers, payment records for online purchases including groceries, ticket sales and hotel bookings, as well as details of age and gender.
Current affairs commentator Li Ang said the data dump is highly sensitive, coming as it does ahead of the CCP’s 20th National Congress later this year, at which CCP leader Xi Jinping is expected to seek an unprecedented third term in office.
“This isn’t some regular hacker; they must have used very high-tech means to get this data, and to publish it,” Li told RFA. “I don’t think this is an accident.”
“The person was already holding this data, and they have chosen this time to publish it,” he said.
China has yet to comment on the estimated 24TB of data involved in the leak, and many online comments said the government was unlikely to respond, for fear of encouraging more people to try obtaining data.