Cybersecurity experts still can’t confirm the claims of a person selling what they say are databases of stolen information of 1 billion Chinese residents from the Shanghai police department.
According to the Associated Press, the claim was recently made in a post on the online hacking forum Breach Forums by someone using the handle “ChinaDan.” The poster is selling nearly 24 terabytes of data for 10 bitcoin, which would be just under US$200,000.
As of Tuesday night, when this story was written, the police force hadn’t confirmed the theft.
UPDATE: Cybersecurity researcher Bob Diachenko told TechCrunch his monitoring shows the database was exposed in April through a Kibana dashboard, a web-based software used to visualize and search huge Elasticsearch databases. If the database didn’t require a password as believed, the news site says, anyone could have accessed the data if they knew its web address.
There’s confirmation that some stolen data is involved, some of which seem to be from police reports of alleged crimes, but not the size of the breach. The AP said a sample of data it has seen listed names, birthdates, ages, and mobile numbers. One person was listed as having been born in “2020,” with their age listed as “1,” which, the news agency said, suggests that information on minors was included in the data obtained in the breach.
The seller has posted what they say is a part of the databases for sale, with 750,000 entries, as confirmation of the hack.
The Bleeping Computer news service quotes a Wall Street Journal reporter saying she reached out to dozens of people allegedly named in the databases for sale, five of whom confirmed data offered is about them.
Similarly, Agence France Press (AFP) said a sample of the supposed confirmation data it saw included Chinese citizens’ names, mobile phone numbers, national ID numbers, addresses, birthdays, and police reports they had filed. AFP and cybersecurity experts verified some of the citizen data in the sample is authentic.
While the data allowed to be seen by the seller is likely real, it can’t be confirmed whether it was from Shanghai police or if it had been assembled from earlier breaches. Nor can the alleged one billion victim number be confirmed.
AFP quoted one official from a cybersecurity firm as being skeptical of that number.
The New York Post quotes the Financial Times saying widely used hashtags such as “data leak” and “1 billion citizens’ records leak” are no longer accessible on the Chinese social media site Weibo.