In what could be the biggest-ever breach of personal information in history, the massive store of data containing information about more than a billion people has been leaked from a government agency, possibly from China, and put up for sale on Dark Web for 10 Bitcoins.
More than 23TB of details apparently siphoned from a Shanghai police database stored in Alibaba’s cloud was put up for sale on the underground Breach Forums by someone with the handle ‘ChinaDan’. The leaked data included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records.
"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," Changpeng Zhao, CEO of cryptocurrency exchange Binance, posted on Twitter. "Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."
How did the data leak?
The root cause of the data leak remains unknown, but experts believe that the database may have been misconfigured and exposed by human error since April 2021 before it was identified. This would contradict a claim that the database’s credentials were inadvertently leaked as part of a technical blog post on a Chinese developer site in 2020 and later employed to steal a billion records from the police database since no passwords were required to access it.
But according to Bob Diachenko, a Ukrainian security researcher, this may not be correct. In late April, the researchers’ monitoring records show the database was exposed via a Kibana dashboard, a web-based software used to visualize and search massive Elasticsearch databases. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address.
Cybersecurity experts frequently search the internet for leaked exposed databases or other sensitive data. But hackers also run the same scans, often with the motive of copying data from an exposed database, deleting it, and offering the data’s return for a ransom payment — the standard methodology employed by attackers in recent years.
Diachenko believes that’s what exactly happened on this occasion; a hacker discovered, raided, and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return.
“My hypothesis is that the ransom note did not work and the threat actor decided to get money elsewhere. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.
