A mystery hacker has claimed to have stolen a massive batch of data containing sensitive information on roughly a billion Chinese citizens, with cyber experts warning it may be one of the biggest breaches in history.
The 23 terabyte (TB) cache was allegedly stolen from the Shanghai police department and was advertised on hacking forums in the country.
The anonymous internet user, identifying themselves as “ChinaDan”, posted on Breach Forums last week offering to sell the data for 10 bitcoin, equivalent to about £165,000.
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens,” the post said.
“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
The Wall Street Journal claims to have verified a small portion of the data, while prominent Chinese tech figures have vouched for their authenticity.
Changpeng Zhao, the CEO of leading crypto exchange Binance, said his company had detected a breach, which he said on Twitter was “likely due to a bug in an Elastic Search deployment by a gov[ernment] agency”. He said his signature had stepped up user verification processes following the alleged hack.
The Shanghai government and police department did not respond to requests for comment on Monday.
The post by ChinaDan was widely discussed on China’s Weibo and WeChat social media platforms over the weekend, with many users worried it could be real. The hashtag “data leak” was blocked on Weibo by Sunday afternoon.
Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, said in a post on Twitter that it was “hard to parse truth from rumor mill”.
If the material the hacker claimed to have came from the Ministry of Public Security, it would be bad for “a number of reasons”, Ms Schaefer said.
“Most obviously it would be among the biggest and worst breaches in history,” she added.
The claim of a hack comes as China has vowed to improve protection for online user data, instructing its tech giants to ensure safer storage after public complaints about mismanagement and misuse.
Last year, China passed new laws governing how personal information and data generated within its borders should be handled.
“Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all costs,” Bill Conner, CEO of cybersecurity firm SonicWall and adviser to GCHQ and Interpol, told The Independent.
“Personal information that does not change as easily as a credit card or bank account number drives a high price on the dark web. This kind of personally identifiable information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.”