If true, a hacker claims to have stolen the personal information of 1 billion Chinese citizens from a Shanghai police database, constituting one of the largest data breaches in history.
Last week, the anonymous hacker known only as “ChinaDan” posted on the hacker forum Breach Forums offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, which is roughly $200,000 (£165,000).
“The Shanghai National Police (SHGA) database was leaked in 2022.” This database contains many terabytes of data and information on billions of Chinese citizens,” according to the post.
“Databases contain information on one billion Chinese national residents and billions of case records, including name, address, birthplace, national ID number, mobile number, and all crime/case details.”
The hacker’s identity is unknown. The Guardian was unable to confirm the authenticity of the post, and when contacted, several numbers in the sample database were no longer in use.
As of Monday, Chinese officials had yet to respond to the alleged data hack.
Yi Fu-Xian, a senior scientist at the University of Wisconsin-Madison, explained that he downloaded sample data from the internet and discovered information about his home county in Hunan province.
“I discovered data related to a remote county in Tibet, where there are only a few thousand residents,” he said, adding that the demographic trend extracted from the data “is worse than the officials have reported.”
A number of data leak incidents have occurred in China in recent years. Sensitive information about powerful Chinese individuals, including Alibaba founder Jack Ma, was leaked on Twitter in 2016.
The Chinese authorities were alarmed by these incidents. China passed legislation last year governing how personal information and data generated within its borders should be handled.
Over the weekend, ChinaDan’s post was widely discussed on China’s Weibo and WeChat social media platforms, with many users concerned that it was real.
The hashtag “Shanghai data leak” was removed from Weibo by Sunday afternoon, but there are still some discussions about the incident on Chinese social media. Users expressed surprise and dismay, with some claiming to be “transparent human beings.”
In a Twitter post, Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, stated that it was “difficult to separate truth from rumor mill.”
If the hacker claimed to have obtained material from the Ministry of Public Security, it would be bad for “a number of reasons,” according to Schaefer. “Obviously, it would rank among the largest and worst breaches in history.”
Binance CEO Zhao Changpeng announced on Monday that the cryptocurrency exchange had increased user-verification processes after the exchange’s threat intelligence detected the sale of records belonging to one billion Asian residents on the dark web.
He stated on Twitter that a leak could have occurred as a result of “a bug in an elastic search deployment by a (government) agency,” but did not specify whether he was referring to the Shanghai police case.
Following public complaints about mismanagement and misuse, China has vowed to improve protection of online user data privacy, instructing its tech giants to ensure safer storage.