The alleged breach is being sold online by the hacker, with samples reportedly appearing to be legitimate data of Chinese citizens.
An anonymous hacker has claimed to have stolen a trove of data from the Shanghai police on 1bn Chinese citizens, in what would be one of the biggest data breaches in history if its true.
The threat actor posted the announcement on a hacker forum using the handle “ChinaDan”. The hacker said the alleged stolen data includes names, addresses, birthplaces, national IDs, mobile numbers and criminal case information.
The hacker has offered to sell more than 23Tb of data for 10 bitcoin, which is worth roughly $200,000. The scale of the claim has lead to many groups working to verify if the hack is legitimate and how it could have occurred.
Binance CEO Changpeng Zhao or “CZ” tweeted that the company’s threat intelligence detected 1bn “resident records” for sale in the dark web and said it was “likely due to a bug in an Elastic Search deployment” by a government agency.
The hacker said the data was exfiltrated from a from a local private cloud provided by Alibaba Cloud which is part of the Chinese police network, according to BleepingComputer.
Wall Street Journal reporter Karen Hao said on Twitter that she downloaded the data sample which the hacker shared online. After calling dozens of the people listed, she said nine picked up and “confirmed exactly what the data said.”.
“At this point, it’s impossible to confirm the scale of the data leak, but five of the people who picked up verified all of the case details listed with their name — information that would be difficult to obtain from any source other than the police,” Hao said on Twitter.
The cases range from incidents of petty theft and cyber fraud to reports of domestic violence, dating as far back as 1995 to as recently as 2019.
— Karen Hao 郝珂灵 (@_KarenHao) July 4, 2022
Hao said experts remain “cautious” about the claim that the hack involves 1bn people, as the hacker could be exaggerating to boost financial gain.
“Have I Been Pwned” creator Troy Hunt tweeted that he spoke to Hao about the alleged breach and said it is “pretty sensational if true”. He added that it “isn’t data aggregator stuff either, it’s police reports so very unique data”.
Third-party weak spots
CEO of cybersecurity product provider X-PHY, Camellia Chan, said we now live in a world where stories of data breaches are regular, but “everyone should sit up and take notice” when claims of this scale are made.
Chan referenced the theory that the alleged hack occurred via a third-party infrastructure provider and said organisations should remember that cybersecurity needs to be “holistic”.
“Cybercriminals will look for any way in, so even if a company feels that they have all internal processes locked down – which is statistically unlikely – the third-party they use to deliver office milk or some other service may not,” Chan said. “That’s their weak spot.”
Bill Conner, cybersecurity advisor and CEO of SonicWall, said personally identifiable information is highly sought after by cybercriminals for monetary gain.
“Organisations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost,” Conner said. “Personal information that does not change as easily as a credit card or bank account number drive a high price on the dark web.”
The type of data breaches and cyberattacks appear to have grown more varied and unique recently. The British Army is conducting an investigation after its Youtube and Twitter accounts were hacked and were used to share posts about cryptocurrencies and NFTs.
Earlier this month, it was reported that a worker in Japan lost a USB that contained the details of an entire city of people, which was roughly half a million citizens.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.