This content is not available in your region

Shanghai data leak: China censors searches after claim that data of 1 billion people was hacked

Hackers claim to have obtained a trove of data on 1 billion Chinese from a Shanghai police database
Hackers claim to have obtained a trove of data on 1 billion Chinese from a Shanghai police database   -   Copyright  Ng Han Guan/AP
By Luke Hurst  with AP

Authorities in China are censoring searches from citizens trying to find out more about claims that the personal details of one billion residents have been leaked, in what would be one of the biggest data hacks ever.

Hackers claim to have obtained nearly 24 terabytes of data from a Shanghai police database, claiming it contained information on one billion people and “several billion case records”.

They offered to sell it for around $200,000 (€195,000) worth of Bitcoin on an online hacking forum.

The Associated Press reports the data has not yet been independently verified, and Shanghai police are yet to respond to requests for comments.

Experts said the breach, if confirmed, would be the biggest in history.

What data do the hackers claim to have?

Last week in the online hacking forum Breach Forums, an account with the handle ChinaDan offered to sell the data for 10 Bitcoin.

In the post, the account said the Shanghai National Police database had been leaked, and included many terabytes of data on “billions of Chinese citizens”.

The data details, according to the account, include names, addresses, birthplace, national ID number, mobile number and crime and case details.

The AP reviewed a sample data set which listed names, birthdates, ages and mobile numbers.

One person was listed as having been born in “2020," with their age listed as “1,” suggesting that information on children was included in the data obtained in the breach.

Kendra Schaefer, a policy and data expert at Trivium China, said on Twitter if the leak was confirmed “it would be among biggest and worst breaches in history.”

What does the alleged hack mean for people’s privacy?

Schaefer said on Twitter that if data on children was indeed in the leak, it would be a violation of the Minor Protection Law, adding she “would be surprised if they don’t also contain files on celebs and minor officials”.

As news of the hack spread, people began posting on Chinese social media platforms such as Weibo, but censors have since moved to block keyword searches for “Shanghai data leak.”

One person commented on Weibo that the leak means everyone is “running naked” - slang used to refer to a lack of privacy - and it’s “horrifying.”

The CEO of cryptocurrency exchange Binance, Changpeng Zhao, warned that the leak could have “an impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc”.

He said his platform had stepped up verification requirements for users who had been potentially affected by the hack.

Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said that the breach is “potentially incredibly embarrassing to the Chinese government,” and the political harm would probably outweigh the actual damage done to the people whose data was leaked.

Most of the data is similar to what advertising companies that run banner ads would have, he said.

“When you’re talking about a billion people’s information and it’s static information, it’s not about where they travelled, who they communicated with or what they were doing, then it becomes very much less interesting,” Wisniewski said.

“The information, once it’s unleashed, is forever out there,” he added. “So if someone believes their information was part of this attack, they have to assume it’s forever available to anyone and they should be taking precautions to protect themselves”.

In 2020, a major cyberattack believed to be by Russian hackers compromised several US federal agencies such as the State Department, the Department of Homeland Security, telecommunications firms and defence contractors.

Last year, over 533 million Facebook users had their data published in a hacking forum after hackers scraped its data due to a vulnerability that has since been patched.