KEY POINTS
- An online database containing the personal data of a billion Chinese citizens was left publicly accessible since at least April 2021
- It included sensitive information such as names, ages, birthplaces, addresses and mobile numbers
- Access to the database was shut down after an anonymous user attempted to sell the data Thursday for 10 bitcoin, or around $200,000
An online database that apparently contained the personal data of up to a billion Chinese citizens was left unsecured and publicly accessible for over a year until an attempt was made to sell the data for cryptocurrency.
LeakIX, a site that detects and indexes exposed databases online, found that the collection could be accessed via a backdoor link since at least April 2021, CNN reported.
"Either they forgot about it, or they intentionally left it open because it's easier for them to access. I don't know why they would. It sounds very careless," Vinny Troia, a cybersecurity researcher and founder of dark web intelligence firm Shadowbyte, was quoted as saying by the outlet.
Access to the database was shut down after an anonymous user with the handle "ChinaDan" offered 23 terabytes' worth of data for sale for 10 bitcoin, or around $200,000, on the online hacking forum Breach Forums Thursday, Associated Press reported.
The data included sensitive information on one billion Chinese nationals from the Shanghai National Police database, the user claimed. They included names, ages, birthplaces, addresses, mobile numbers and national ID numbers, as well as billions of records of phone calls made to police to report on civil disputes and crime, according to the user.
Data detailing user activity from the most popular Chinese apps was also included, a report by Bloomberg said.
International Business Times could not independently verify the authenticity of the data that was offered for sale by the user. However, CNN said it confirmed that over two dozen data entries from the sample included in the seller's post were real.
Shanghai's government and police department did not respond to requests for comment.
It was unclear how many people were able to access the database while it was still up.
"As it stands today, I believe this would be the largest leak of public information yet -- certainly in terms of the breadth of the impact in China, we're talking about most of the population here," said Troy Hunt, a Microsoft regional director based in Australia.
China is home to 1.4 billion people, which means the data breach may have affected more than 70% of the population.
The owner of the data was at fault in this incident, not the company hosting it, some experts claimed.
The user who tried to sell the data claimed that the database had been hosted by Alibaba Cloud, a cloud computing subsidiary of Chinese e-commerce giant Alibaba.
When asked for comment Monday, Alibaba told CNN it was "looking into this" but later declined further comment.
Those responsible for the data breach may be punished over the incident, according to experts.
“The Party will likely discipline MPS and local officials internally, without drawing much public attention,” Dakota Cary, a consultant with the Washington-based Krebs Stamos Group, told Bloomberg.
“Alternatively, if the government does find that the breach was truly the fault of a private firm that maintained the database, that company will likely be fined or targeted by market regulators for costly inspections,” Cary added.
The data stolen in the hack includes names, mobile phone numbers, national ID numbers, addresses, birthdays and police reports Photo: AFP / Andrew CABALLERO-REYNOLDS
