Hackers claim they breached data of 1 billion Chinese residents from police

Hackers say they have stolen the personal information of 1 billion Chinese citizens from a Shanghai police database and put it up for sale, a leak that if confirmed would be one of the biggest such revelations in history.

In a post last week on an underground hacker forum, an anonymous contributor or group promoted the availability of the data, releasing a sample said to contain 750,000 records. The asking price for the entire 23 terabyte database was 10 Bitcoin, or about $200,000. The post has since been blocked from the site.

The data included names, national IDs and phone numbers, medical records, details from police reports, and other information. Although the authenticity of the full database had not been confirmed, The Post’s verification of some ID numbers appeared to be linked to information on a government website.

The suspected hackers said there were billions of case reports — ranging from thefts to beatings to domestic violence, dating from the late 1990s to 2019 — and the records of 1 billion Chinese citizens. If authenticated, the database would cover more than 70 percent of China’s 1.4 billion people. The personal information and reported incidents were contained in separate files.

Despite the scope, the government prevented victims from learning about the leak. On Weibo, a widely used Twitter-like platform in China, a keyword search for “data leak” or “Shanghai police database” returned no results related to the breach. A data subject confirmed details of the records linked to her in an interview with The Post, but was unaware of the leak.

Analysis: Here are four big questions about the massive Shanghai police leak

The breach came after China’s Personal Data Protection Law came into effect last year, which imposed strict security measures on companies and government agencies that handle personal data. The law was passed after Chinese regulators urged more than 40 companies to change their operations for violating data transfer rules, Reuters reported.

Kendra Schaefer, Head of Technology Policy Research at the China-focused research team Trivium China, said in a Twitter post Monday that the incident was the first major public breach by a government agency under the new law. “So it’s unclear who is holding whom accountable,” she said. The Department of Public Safety (MSP) would normally oversee investigations related to cybercrime.

“The files also allegedly contain details about files on minors,” Schaefer said. “So that would be a violation of the Youth Protection Act.” She pointed to the possibility that the data contained information from celebrities or officials.

In the sample dataset released, certain information was associated with individuals listed under the “seven categories of key individuals,” a reference to individuals monitored by MSPs for suspected criminal activity.

Foreign ministries, the Shanghai government and the Shanghai Police Department did not respond to requests for comment.

However, it’s also possible that the files were online before the law went into effect – they only gained public attention after the alleged hacker put them online. Cybersecurity researcher Vinny Troia told CNN that he was made aware of the database on a public website in January, which opened in April 2021, meaning anyone has been able to access the database since then.

There is also speculation that government officials accidentally included the credentials needed to access the database in a blog post on the Chinese Software Developer Network, a forum for developers to share code. Changpeng Zhao, the chief executive of cryptocurrency exchange Binance, referred to the theory in a tweet on Monday. He said the company had “already ramped up” screening for potentially affected users.

The unnamed poster claimed that the database was hosted by AliCloud, a subsidiary of Chinese e-commerce giant Alibaba Group. Cloud providers associated with big tech companies like AliCloud have typically built the digital infrastructure for government agencies.

Alibaba Group did not respond to a request for comment.

But Shawn Chang, the chief executive of security solutions provider HardenedVault, found the theory unconvincing. “Shanghai is a city [with] 250 million inhabitants. AliCloud is unlikely [to use] a key to the entire police system,” he said. He added that the breach could be elsewhere, such as with centralized key management services that didn’t go through the authentication process.

Web security consultant Troy Hunt said the anonymity of the person who offered the sale, as well as the size of the database, raise questions about its accuracy. Demanding a large payout also raises the possibility that the claim was exaggerated or falsified, he added.

But the data was also strong “because it’s a very unique class of information,” Hunt said. Unlike self-reported names and phone numbers when filling out an online form — seen in other data breaches — these were police reports that “were really just in one place.”

It’s no secret that government agencies in China have poorly managed data systems. “The problem with the Chinese government is that it collects every citizen’s data on public service platforms, which had serious consequences when the data was leaked,” Chang said. “Everywhere you go, you have to transmit your information. But there is no systematic way to manage this data. Private companies are also bad at data management, but better than the government.”

Earlier this year, a researcher obtained a cache of Xinjiang police documents that detail draconian surveillance and re-education practices in the region and shed light on Beijing’s crackdown on the Uyghur population.