A hacker calling themselves “ChinaDan” recently raised major alarms by offering the personal data of 1 billion China citizens for sale, but the samples they provided on an underground forum left signs that the information comes from some prior known data leaks that comprise a much smaller total of records.
If the hacker is true to their word, they captured the personal data of well over half of the country’s entire population from the servers of the Shanghai National Police (SHGA). But a suspiciously low asking price, combined with markers found by security researchers, indicates that the total may be much closer to 100 million records from China citizens that have already been made available from other sources.
Data leak would be one of history’s largest, but is it legitimate?
“ChinaDan” claims that they are sitting on 23 terabytes of personal data stolen from the SHGA database, comprising the usual sorts of items associated with records kept for identification purposes: full names, home addresses, places of birth, national identity numbers and phone numbers. In addition to the one billion personal records, the hacker claims that they also filched a few billion court records.
However, the first item that has raised suspicion about the authenticity of the data leak is the asking price: a mere $200,000 for the full package. While that is certainly a lot by normal standards, it is quite low for a breach of personal data of this magnitude.
The hacker shared a sample of 750,000 records in a bid to inspire trust, and security researchers have confirmed that there are numerous pieces of legitimate contact information for China citizens in this collection. However, researchers with leading cybersecurity firm Check Point says that they have seen these records before in other cyber crime forums. Specifically, some records seem to match personal data stolen from courier service ShunFeng Express in 2020; that breach saw 66 million records of China citizens exposed. Other records appear to come from a prior known breach of a number of Chinese driving schools.
Were there actually 1 billion new records in this data leak, it would be in the top five biggest breaches of all time. It would also be arguably the most damaging to the public, given that the range of data claimed in this leak did not make it to the general public in the others. But those that frequent the cyber crime forum it was first offered on did not feel particularly confident in its authenticity, with the best offer being just a little over half the asking price before the listing was terminated.
China citizens advised to be cautious with communications involving personal data
Nevertheless, China citizens are advised to be wary about communications involving personal data as the issue is investigated. There is at least some legitimate information in the posted sample, and it might be used to approach individuals with scams. It is also difficult to get updated information on the issue inside of the country as the government appears to have asked Weibo, WeChat and possibly other services to suppress discussion of it.
There is at least one indication from security experts that the data leak may be legitimate. Zhao Changpeng, CEO of Binance, said on Twitter that his security team had found a public blog post from a Chinese engineer who worked on the SHGA systems that contained an ElasticSearch database username and password (that has since been taken down). However it is unclear if this was the cause of the breach, or merely a coincidence.