(CNN) — A huge online database apparently containing the personal information of up to a billion Chinese citizens remained unprotected and accessible to the public for more than a year, until an anonymous user on a hacker forum offered to sell the data and attracted the pay attention last week.
According to cybersecurity experts, the breach could be one of the largest in recorded history, and underscores the risks of collecting and storing large amounts of sensitive personal data online, especially in a country where authorities have wide and without control of said data.
The vast trove of Chinese personal data had been publicly accessible through what appeared to be an unsecured backdoor link, that is, a direct access web address that offers unrestricted access to anyone with knowledge of it, since at least April. 2021, according to LeakIX, a site that detects and indexes databases exposed online.
Access to the database, which did not require a password, was shut down after an anonymous user announced the more than 23 terabytes of data for sale for 10 bitcoin, roughly $200,000, in a hacker forum post on Tuesday. last Thursday.
The user claimed that the database had been compiled by the Shanghai police and contained sensitive information about one billion Chinese citizens, including their names, addresses, cell phone numbers, national identification numbers, ages and places of birth, as well as like billions of records of phone calls made to the police to report civil disputes and crimes.
The vendor included a sample of 750,000 data entries from the three major database indices in its post. CNN verified the authenticity of more than two dozen tickets from the sample provided by the seller, but was unable to access the original database.
The Shanghai government and police department did not respond to CNN’s repeated written requests for comment.
The seller also claimed that the unsecured database had been hosted by Alibaba Cloud, a subsidiary of Chinese e-commerce giant Alibaba. In a statement to CNN, Alibaba said it was aware of the incident and was investigating it.
But experts CNN spoke with said it was the owner of the data that was to blame, not the company hosting it.
“I think this is the biggest public information leak to date, certainly in terms of the breadth of the impact in China, we’re talking about the majority of the population,” said Troy Hunt, an Australia-based Microsoft regional director. .
There are 1.4 billion people living in China, which means that the data breach could affect more than 70% of the population.
“It’s a case where the genie won’t be able to go back into the bottle. Once the data has come out in the way it appears to be now, there’s no going back,” Hunt said.
It is not clear how many people have accessed or downloaded the database during the 14 months or more that it has been publicly available on the Internet. Two Western cybersecurity experts who spoke to CNN were aware of the database’s existence before it was made public last week, suggesting it could be easily discovered by people who knew where to look.
Vinny Troia, a cybersecurity researcher and founder of the dark web intelligence company Shadowbyte, said he first discovered the database “around January” while searching for open databases online.
“The site I found it on is public, anyone (could) access it, all you have to do is sign up for an account,” Troia said. “Since it was opened in April 2021, anyone could have downloaded the data,” she added.
Troia said it downloaded one of the main indexes of the database, which appears to contain information on nearly 970 million Chinese citizens.
Troia said it was difficult to judge with certainty whether open access was an oversight by the database owners, or an intentional shortcut meant to be shared among a small number of people.
“Either they forgot about it, or they intentionally left it open because it’s easier for them to access,” he said, referring to the authorities responsible for the database. “I don’t know why they would. It seems very careless.”
Insecure personal data, exposed through leaks, breaches or some form of incompetence, is an increasingly common problem facing businesses and governments around the world, and cybersecurity experts say it’s not unusual to find databases data that is left open to public access.
In 2018, Trioa discovered that a Florida-based marketing company exposed nearly 2TB of data that appeared to include personal information of hundreds of millions of American adults on a publicly accessible server, according to Wired.
In 2019, Victor Gevers, a Dutch cybersecurity researcher, found an online database containing names, national identification numbers, dates of birth, and location data for more than 2.5 million people in the Far West region. from China, Xinjiang, which was left unprotected for months by the Chinese company SenseNets Technology, according to Reuters.
But the latest data breach is especially concerning, according to cybersecurity researchers, not only because of its potentially unprecedented volume, but also because of the sensitive nature of the information contained.
A CNN analysis of the database sample found police case records spanning nearly two decades, from 2001 to 2019. Although the majority of entries are civil disputes, there are also criminal case records ranging from fraud to the violation
In one case, a Shanghai resident was cited by police in 2018 for using a virtual private network (VPN) to bypass China’s firewall and access Twitter, allegedly retweeting “reactionary comments involving the (Communist) Party, political and the leaders.”
In another record, a mother called the police in 2010, accusing her father-in-law of raping her 3-year-old daughter.
“There could be domestic violence, child abuse, all kinds of things in there, that to me is much more concerning,” said Hunt, the Microsoft regional director.
“Could this lead to extortion? We often see extortion of individuals following data breaches, examples where hackers may even try to hold individuals for ransom.”
The Chinese government has recently intensified its efforts to improve the privacy protection of users’ data online. Last year, the country passed its first Personal Information Protection Law, which sets out the basic rules on how personal data should be collected, used and stored. But experts have expressed concern by the fact that, although the law can regulate technology companies, its application to the State could be difficult.
Bob Diachenko, a Ukraine-based security researcher, first came across the database in April. In mid-June, his company discovered that the database had been attacked by an unknown malicious actor, who destroyed and copied the data and left a ransom note asking for 10 bitcoins for recovery, according to Diachenko.
It is unclear if this was the work of the same person who announced the sale of the database information last week.
As of July 1, the ransom note was gone, according to Diachenko, but only 7 gigabytes (GB) of data remained available, instead of the initially announced 23 TB.
Diachenko said this suggested the ransom had been resolved, but the database owners had continued to use the exposed database for storage, until it was shut down over the weekend.
“Maybe there was some junior developer who took notice and tried to remove the notes before senior management was aware of it,” he said.
Shanghai police did not respond to CNN’s request for comment on the ransom note.