Chinese censors are working overtime to clamp down on news that the data they’ve siphoned from their citizens over the years is apparently out there and is being sold for less than the anticipated cost of a Tesla Roadster.
On Monday, reports showed that a hacker only identified as “ChinaDan” told members of the hacker site Breach Forums that he had acquired 23 terabytes of data on 1 billion Chinese citizens, according to Reuters. It’s data he’s willing to part with for the right price. How much is 1 billion people’s personal data worth? Apparently just 10 bitcoin, or approximately $200,000.
The post said that the data trove came from a leaked version of the Shanghai National Police database. ChinaDan’s original post included a sample of 250,000 citizens’ info, but that sample size was apparently increased to 750,000. BleepingComputer included an image of the forum post that reads the “Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
The leak has drawn a fair bit of critique and claims that it’s probably exaggerated, especially considering that the total number from this Shanghai police database would be just 400 million shy of the total population of all of China, 1.4 billion.
The Chinese government has not made any official mention about the hack to reporters, in public, or online. Further reports have displayed just how much Beijing doesn’t want its citizens talking about the breach. The Financial Times reported that government censors have taken down posts on Chinese social media that dared even mention the alleged leak.
FT wrote that Weibo, essentially China’s version of Twitter, and WeChat were already censoring any mention of hashtags containing “data leak” or “database breach.” Censors blocked existing posts and even reportedly asked at least one poster with a big follower-base to come in for questioning. The NYT reported that Chinese state media has been mum on news of the hack.
The hacker wrote that the data was taken from cloud computer firm Aliyun which they said hosts the Shanghai police database. Binance CEO Changpeng Zhao wrote on Twitter July 3 saying they detected that the records were for sale on the dark web. At first, Zhao said the hack could have been caused by a bug in the deployment of government servers. The CEO later claimed it was due to a government worker who apparently wrote his official credentials on his Chinese Software Developer Network-hosted tech blog. Zhao further wrote they were “stepping up verifications” for its users whose info were included in the breach.
If true, then it is perhaps the biggest leak of personal data ever. 2022 has already proved a big year for data breaches at multinational companies as well as governments.
Gizmodo was unable to determine the authenticity of the post or what data was contained inside the trove, though the New York Times was able to confirm the veracity of the original sample containing 250,000 citizens’ personal information. Reporters called individuals listed in the database who apparently confirmed who they were and any past police reports they apparently filed—which also included whether an individual was labeled a “key person” by public security, making it easier to flag their activities in the country’s broader surveillance state.
The Wall Street Journal also called a few of the names and numbers contained in the broader 750,000 sample, where five of those people also confirmed that data that would be hard to come by if it wasn’t gathered by police. Some numbers the Journal tried were no longer valid, though the reporters noted Chinese citizens often change their numbers.
One man in the hacked dataset, who went by the surname Wei, told the Journal after learning about his information being leaked “We are all running naked,” a common phrase for Chinese resident to say that they have no privacy.
Update 07/06/22 at 2:30 p.m.: This post was amended to add updated information from Binance CEO Zhao’s Twitter.