Hacker claims theft of 1 billion records from Shanghai police
China's national data-sharing system proved a weakness in the alleged breach.
A hacker claims to have stolen a billion records containing Chinese citizens' personal information from the Shanghai police department - in what cybersecurity experts are calling the largest data breach in Chinese history.
Last week, a user by the name "ChinaDan" posted on Breach Forums offering to sell more than 23 terabytes (TB) of data for 10 bitcoin (around $200,000).
"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," the post said.
"Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."
HackerDan released several sample datasets as proof: one containing delivery addresses and instructions for drivers; another with police records; and the last with personal information like the person's name, home address, national ID number, height, and gender.
Media outlets have confirmed that the sample does describe real people.
Although the scale of the leak described in the post is still unconfirmed, it has generated a lot of curiosity and media attention both in China and overseas. Chinese social tools Weibo and WeChat lit up over the weekend as people worried about the implications.
The discussion became so widespread that, according to Reuters' sources, Weibo blocked #dataleak from trending on Sunday.
On Monday, Binance's founder and CEO Zhao Changpeng tweeted that they had detected the breach of a billion resident records "from one Asian country," although quite how Binance - the world's largest cryptocurrency exchange - 'detected' the breach is unknown.
Binance has strengthened its user verification procedures since becoming aware of the issue, Changpeng added.
If the breach is confirmed to be real, it would be "bad, for a number of reasons," said Kendra Schaefer, a partner with the consulting company Trivium China.
"Most obviously, this would be among the biggest and worst breaches in history."
It's unclear how the suspected attackers were able to access the Shanghai police systems.
Security experts have offered up a number of theories; for example, placing blame on a third-party cloud infrastructure partner, like Tencent, Huawei or Alibaba.
One reason why the breach allegedly included so much information is that the Shanghai police would have had access to a national data-sharing system, enabling access to more information than a regional police authority would otherwise have.
In recent years, China has been accused of using state-backed hackers for espionage. Now reports are emerging that the hackers' data, too, may have been compromised.
Due to a lack of transparency in reporting, domestic breaches are seldom brought to light in China.
Weibo, which provides a service comparable to Twitter, said in 2020 that hackers claimed to have stolen account information for more than 538 million users; however, sensitive data was not exposed in the breach.
The Victims of Communism Memorial Foundation, a rights organisation in Washington, claimed this year that tens of thousands of purportedly hacked files from China's remote Xinjiang province offered further proof of the mistreatment of the Uyghur people in the country.