According to cybersecurity experts, the leak could be one of the largest in history, highlighting the risks associated with collecting and storing huge amounts of sensitive personal data online, especially in a country where authorities have wide and uncontrolled access to such data.
A huge array of Chinese personal data has been publicly available through an insecure backdoor link — a web address label that offers unlimited access to anyone who knows about it — since at least April 2021, according to LeakIX, a site that detects and indexes open databases. online.
Access to the database, which did not require a password, was closed after an anonymous user announced the sale of more than 23 terabytes (TB) of data for 10 bitcoins – roughly $200,000 – in a post on a hacker forum last Thursday.
The user claimed that the database was compiled by the Shanghai police and contained sensitive information about one billion Chinese citizens, including their names, addresses, mobile phone numbers, national identification numbers, age and place of birth, and billions of police phone call records. report civil disputes and crimes.
A sample of 750,000 data records from three major database indexes was included in the seller’s post. CNN authenticated more than two dozen records from a sample provided by the seller, but was unable to access the original database.
The Shanghai government and police department did not respond to CNN’s repeated written requests for comment.
The seller also stated that the unsecured database was hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. When CNN reached out for comment on Monday, Alibaba said “we’re looking into it” and will report any updates. On Wednesday, Alibaba said it declined to comment.
But experts interviewed by CNN said the owner of the data was at fault, not the company hosting it.
“I believe this will be the largest publicly available information leak to date – by far, in terms of the breadth of influence in China, we’re talking about the majority of the population here,” said Troy Hunt, regional spokesman for Microsoft. director from Australia.
China is home to 1.4 billion people, meaning that more than 70% of the population could potentially be affected by a data breach.
“This is a small case where genius can’t go back into the bottle. Once the data is available as it appears to be now, there is no going back,” Hunt said.
It is not clear how many people accessed or downloaded the database during the 14 or more months it remained public on the Internet. Two Western cybersecurity experts who spoke to CNN were aware of the existence of the database before it was put on public display last week, suggesting it could have been easily discovered by people who knew where to look.
Vinnie Troya, a cybersecurity researcher and founder of dark web analytics firm Shadowbyte, said he first discovered the database “around January” while searching for open databases online.
“The site I found it on is public, anyone (can) access it, all you have to do is sign up for an account,” Troya said. “Because it was opened in April 2021, any number of people could download the data,” he added.
Troya said he had downloaded one of the main indexes of a database that appears to contain information on nearly 970 million Chinese citizens. But it’s hard to judge whether open access was an oversight on the part of the database’s owners, or if it was a deliberate label meant to be shared by a small number of people, he said.
“Either they forgot about it or deliberately left it open because it is easier for them to access it,” he said, referring to the authorities responsible for the database. “I don’t know why they did it. Sounds very careless.”
Unprotected personal data exposed through leaks, hacks or some form of incompetence is an increasingly common problem faced by companies and governments around the world, and cybersecurity experts say it’s not unusual for databases to remain open to the public.
But the latest data breach is of particular concern, say cybersecurity researchers, not only because of its potentially unprecedented scope, but also because of the sensitive nature of the information it contains.
An analysis of a sample database by CNN found police case records spanning nearly two decades from 2001 to 2019. While most of the entries are for civil disputes, there are also entries for criminal cases ranging from fraud to rape.
In one case, a Shanghai resident was called by police in 2018 for using a virtual private network (VPN) to bypass a Chinese firewall and access Twitter, allegedly retweeting “reactionary remarks regarding the (Communist) party, politics and leaders.”
In another entry, a mother called the police in 2010, accusing her father-in-law of raping her 3-year-old daughter.
“There could be domestic violence, child abuse and all that stuff that worries me a lot more,” said Hunt, Microsoft’s regional director.
“Could it lead to extortion? We often see extortion of people after a data breach, examples where hackers may even try to ransom people.”
Bob Dyachenko, a security researcher from Ukraine, first encountered the database in April. According to Dyachenko, in mid-June, his company discovered that the database had been attacked by an unknown attacker who destroyed and copied the data and left a ransom note demanding 10 bitcoins for its restoration.
It is not clear if this was the work of the same person who advertised the sale of information from the database last week.
By July 1, the ransom note had disappeared, Dyachenko said, but only 7 gigabytes (GB) of data were available — instead of the originally claimed 23 TB.
Dyachenko said this suggests the ransom was resolved, but the database owners continued to use the open database for storage until it was closed over the weekend.
“Maybe some junior developer noticed this and tried to remove the notes before upper management noticed them,” he said.
This story was updated with additional events on Wednesday.
Philip Wang of CNN contributed to the story.