The leak could be one of the largest ever recorded in history, cybersecurity experts say, highlighting the risks of collecting and storing large amounts of sensitive personal data online, especially in a country where authorities have broad and uncontrolled access to this data.
The vast trove of Chinese personal data had been publicly accessible through what appeared to be an unsecured backdoor link — a shortened web address that provides unrestricted access to anyone with knowledge of it — since at least April 2021, according to LeakIX. a site that detects and indexes databases exposed online.
Access to the database, which did not require a password, was closed after an anonymous user announced the sale of more than 23 terabytes (TB) of data for 10 bitcoins, or approximately $200,000 , in a post on a hacker forum last Thursday. .
The user claimed the database was compiled by Shanghai police and contained sensitive information about one billion Chinese nationals, including their names, addresses, mobile phone numbers, national ID numbers, ages and places of birth, as well as billions of records of telephone calls made to the police. report on civil disputes and crimes.
A sample of 750,000 data entries from the three main database indexes were included in the seller’s message. CNN verified the authenticity of more than two dozen sample entries provided by the vendor, but could not access the original database.
The government and the Shanghai Police Department did not respond to CNN’s repeated written requests for comment.
The seller also claimed that the insecure database was hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. When contacted by CNN for comment on Monday, Alibaba said “we are reviewing this” and would provide any updates. On Wednesday, Alibaba said it declined to comment.
But experts CNN spoke to said it was the owner of the data that was at fault, not the company hosting it.
“As it stands, I think that would be the biggest leak of public information yet – certainly in terms of the magnitude of the impact in China, we’re talking about most of the population here,” said Troy Hunt, a Microsoft regional manager based in Australia.
China has a population of 1.4 billion, which means the data breach could potentially affect over 70% of the population.
“It’s a bit of a case where the genie won’t be able to go back into the bottle. Once the data is out there in the form it appears to be now, there’s no going back,” Hunt said.
It’s unclear how many people accessed or downloaded the database in the 14 months or more it was left publicly available online. Two Western cybersecurity experts who spoke to CNN were both aware of the existence of the database before it came into the spotlight last week, suggesting it could be easily discovered by people who knew where to look.
Vinny Troia, cybersecurity researcher and founder of dark web intelligence firm Shadowbyte, said he first came across the database “around January” while researching open databases online. .
“The site I found it on is public, anyone (could) access it, all you have to do is create an account,” Troia said. “Since it opened in April 2021, any number of people could have downloaded the data,” he added.
Troia said it downloaded one of the database’s main indexes, which appears to contain information on nearly 970 million Chinese citizens. But it was hard to judge whether open access was an oversight by the database owners, or an intentional shortcut meant to be shared among a small number of people, he said. declared.
“Either they forgot it or they intentionally left it open because it’s easier for them to access it,” he said, referring to the authorities responsible for the database. “I don’t know why they would. It seems very careless.”
Unsecured personal data – exposed through leaks, breaches or some form of incompetence – is an increasingly common problem facing businesses and governments around the world, and cybersecurity experts say it’s no It is not uncommon to find databases left open to the public.
But the latest data leak is particularly worrying, cybersecurity researchers say, not only because of its potentially unprecedented volume, but also the sensitive nature of the information contained.
A CNN analysis of the database sample found police case files spanning nearly two decades from 2001 to 2019. Although the majority of entries are civil litigation, there are also criminal case files. ranging from fraud to rape.
In one case, a Shanghai resident was summoned by police in 2018 for using a virtual private network (VPN) to evade China’s firewall and access Twitter, allegedly retweeting “reactionary remarks involving the (Communist) Party , politics and leadership.
In another case, a mother called the police in 2010, accusing her stepfather of raping her 3-year-old daughter.
“There could be domestic violence, child abuse, all sorts of things in there, that’s much more concerning to me,” said Hunt, Microsoft’s regional manager.
“Could this lead to extortion? We often see extortion of individuals after data breaches, instances where hackers may even try to hold individuals to ransom.”
Bob Diachenko, a Ukraine-based security researcher, first discovered the database in April. In mid-June, his company detected that the database had been attacked by an unknown malicious actor, who destroyed and copied the data and left a ransom note demanding 10 bitcoins for its recovery, Diachenko said.
It is unclear if this was the work of the same person who announced the sale of the database information last week.
As of July 1, the ransom note was gone, according to Diachenko, but only 7 gigabytes (GB) of data was available, instead of the originally advertised 23TB.
Diachenko said he suggested the ransom had been resolved, but the database owners continued to use the exposed database for storage, until it was shut down over the weekend .
“Maybe a junior dev noticed and tried to delete the notes before senior management noticed,” he said.
This story was updated with additional developments on Wednesday.
CNN’s Philip Wang contributed reporting.