Unknown hackers claimed to have stolen data on as many as a billion Chinese residents after breaching a Shanghai police database, in what industry experts are calling the largest cybersecurity breach in the country’s history.
The person or group claiming the attack has offered to sell more than 23 terabytes of stolen data from the database, including names, addresses, birthplaces, national IDs, phone numbers and criminal case information, according to an anonymous post on an online cybercrime forum last week. The unidentified hacker was asking for 10 bitcoin, worth around $200,000.
The scale of the alleged leak has sent shock waves through the Chinese security community, triggering speculation about the credibility of the claim and how it could have taken place. Zhao Changpeng, founder and chief executive officer of cryptocurrency exchange Binance, tweeted Monday that the company had detected the breach of a billion resident records “from one Asian country,” without specifying which, and had since increased verification procedures for potentially affected users.
Shanghai authorities have not publicly responded to the purported hack. Representatives for the city’s police and Cyberspace Administration of China, the country’s internet overseer, did not immediately respond to faxed requests for comment.
The United States and other nations have repeatedly identified China as one of the world’s biggest sources of cybercriminals, which they say infiltrate systems on behalf of domestic agencies in search of valuable data or intellectual property.
Domestic breaches are however rarely disclosed because of a lack of transparent reporting mechanisms. In 2016, personal information on dozens of Communist Party officials and industry figures from Jack Ma to Wang Jianlin was said to have been exposed on Twitter, in one of the country’s biggest online leaks of sensitive information at the time. In 2020, the Twitter-like service Weibo Corp. said hackers claimed to have stolen account information for more than 538 million of its users, though sensitive data such as passwords was not leaked. And this year, tens of thousands of seemingly hacked files from China’s remote Xinjiang region provided fresh evidence of the abuse of mostly Muslim ethnic Uyghurs, according to a rights group.
The latest alleged incident again underscored the challenges facing Beijing as it collects data on hundreds of millions of people while tightening policing of sensitive online content. Under Chinese law, the exposure of personal information can result in jail terms.
It’s unclear how the alleged cyberattackers in this month’s breach gained access to Shanghai police servers. One popular theory circulated online among cybersecurity experts was that the breach involved a third-party cloud infrastructure partner. Alibaba Group Holding Ltd., Tencent Holdings Ltd. and Huawei Technologies Co. are among the country’s biggest external cloud services.