Have data on 1 billion Chinese, hackers say

HONG KONG -- Hackers claim to have obtained a trove of data on 1 billion Chinese from a Shanghai police database in a leak that, if confirmed, could be one of the largest data breaches in history.

In a post on the online hacking forum Breach Forums last week, user "ChinaDan" offered to sell nearly 24 terabytes of data including what they claimed was information on 1 billion people and "several billion case records" for 10 Bitcoin, worth about $200,000.

The data purportedly includes information from the Shanghai National Police database including names, addresses, national identification numbers and cellphone numbers as well as case details.

A sample of data seen by The Associated Press listed names, birthdates, ages and cellphone numbers. One person was listed as having been born in "2020," with their age listed as "1," suggesting that information on minors was included in the data obtained in the breach.

The Associated Press could not immediately verify the authenticity of the data samples. Shanghai police did not immediately respond to a request for comment.

The data leak initially sparked discussion on Chinese social media platforms such as Weibo, but censors have since moved to block keyword searches for "Shanghai data leak."

Experts said the breach, if confirmed, would be the biggest in history.

Kendra Schaefer, a partner for technology at policy research firm Trivium China, wrote on Twitter that it's "hard to parse truth from the rumor mill, but can confirm file exists."

Such data leaks are fairly common, according to Michael Gazeley, managing director at Hong Kong-based security firm Network Box.

"There are approximately 12 billion compromised accounts posted on the dark web right now," he said, adding that a majority of data leaks often come from the U.S.

Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said the breach is "potentially incredibly embarrassing to the Chinese government," and the political harm would probably outweigh damage to the people whose data was leaked.

Most of the data is similar to what advertising companies that run banner ads would have, he said.

"When you're talking about a billion people's information and it's static information, it's not about where they traveled, who they communicated with or what they were doing, then it becomes very much less interesting," Wisniewski said.

Still, once hackers get data and put it online, it's impossible to fully remove.

"The information, once it's unleashed, is forever out there," Wisniewski said. "So if someone believes their information was part of this attack, they have to assume it's forever available to anyone and they should be taking precautions to protect themselves."

A major cryptocurrency exchange said it had stepped up verification procedures to guard against fraud attempts such as using personal information from the reported hack to take over people's accounts.

Zhao Changpeng, CEO of Binance, a cryptocurrency exchange, tweeted Monday that its threat intelligence had detected the sale of "1 billion resident records."

"This has impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc." Zhao wrote, before saying that Binance had already stepped up verification measures.

Information for this article was contributed by Emily Wang and Chen Si of The Associated Press.

Upcoming Events