Image: © LR-PHOTO/Stock.adobe.com
The hacker is offering to sell the data trove – with some samples reported to be the legitimate data of Chinese citizens.
An anonymous hacker claims to have stolen a trove of data on 1bn Chinese citizens from the Shanghai police, which would be one of the biggest data breaches in history.
The threat actor posted the announcement on a hacker forum using the handle ‘ChinaDan’. They said the alleged stolen data includes names, addresses, birthplaces, national IDs, mobile numbers and criminal case information.
The hacker has offered to sell more than 23TB of data for 10 bitcoin, which is worth nearly $200,000. The scale of the claimed hack has led to many groups seeking to verify if the breach is legitimate and how it could have occurred.
Binance CEO Changpeng Zhao tweeted earlier this week that the company’s threat intelligence team detected 1bn “resident records” for sale on the dark web and said it was “likely due to a bug in an Elasticsearch deployment” by a government agency.
The hacker said the data was exfiltrated from a local private cloud, provided by Alibaba Cloud, which is part of the Chinese police network, according to BleepingComputer.
Wall Street Journal reporter Karen Hao said that she downloaded the data sample that the hacker shared online. After calling dozens of the people listed, she said nine picked up and “confirmed exactly what the data said”.
“At this point, it’s impossible to confirm the scale of the data leak, but five of the people who picked up verified all of the case details listed with their name – information that would be difficult to obtain from any source other than the police,” Hao said on Twitter yesterday (4 July).
The cases range from incidents of petty theft and cyber fraud to reports of domestic violence, dating as far back as 1995 to as recently as 2019.
— Karen Hao 郝珂灵 (@_KarenHao) July 4, 2022
Hao added that experts remain “cautious” about the claim that the hack involves the data of 1bn people, as the hacker could be exaggerating to boost financial gain.
Have I Been Pwned creator Troy Hunt tweeted that he spoke to Hao about the alleged breach and said it is “pretty sensational if true”. He added that it “isn’t data aggregator stuff either, it’s police reports so very unique data”.
Third-party weak spots
Camellia Chan, CEO of cybersecurity product provider X-PHY, said we now live in a world where stories of data breaches are regular but “everyone should sit up and take notice” when claims of this scale are made.
Chan referenced the theory that the alleged hack occurred via a third-party infrastructure provider and said organisations should remember that cybersecurity needs to be “holistic”.
“Cybercriminals will look for any way in, so even if a company feels that they have all internal processes locked down – which is statistically unlikely – the third-party they use to deliver office milk or some other service may not,” Chan said. “That’s their weak spot.”
Bill Conner, cybersecurity adviser and CEO of SonicWall, added that personally identifiable information is highly sought after by cybercriminals for monetary gain.
“Organisations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost,” Conner said. “Personal information that does not change as easily as a credit card or bank account number drives a high price on the dark web.”
Earlier this month, it was reported that a worker in Japan lost a USB that contained the details of an entire city of people, which was roughly half a million citizens.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
