Samples from a 23+ terabyte database thought to contain the personal information of over one billion Chinese citizens has been verified as legitimate by several sources. The supposed personal data collection was posted for sale on the hacker forum Breach Forums on June 30, drawing a massive amount of attention over the course of the last week.
In a message posted by forum user ChinaDan, the data is described as leaked from the Shanghai National Police Database which they say was hosted on an Alibaba private cloud server. The poster is attempting to sell the data for 10 BTC, which is slightly over $200,000, and has released freely-available samples to be confirmed by potential buyers. The data set purportedly contains names, addresses, national IDs, mobile phone numbers, and even police and medical records of affected individuals.
One China-based reporter working for the Wall Street Journal, Karen Hao, claimed on Twitter to have “downloaded the sample the hacker provided and called dozens of people listed,” reporting that “nine picked up and confirmed exactly what the data said.”
“One man, upon hearing why we had his information, sighed in resignation: ‘We are all running naked,’ he said, using popular Chinese slang for a lack of privacy,” said Hao in a follow-up tweet. “If the hack indeed encompasses 1 billion people, it would be one of largest cybersecurity breaches ever recorded and the largest known for China,” she added.
The authenticity of the sample data was also confirmed by Changpeng Zhao, CEO of crypto exchange Binance, who relayed that his company’s threat intelligence had downloaded the available samples and that verification will be “stepped up” for potentially affected users of the exchange.
As of Tuesday, July 5, the original sale thread on Breach Forums, which has a presence on both the clearnet and darknet, had garnered over 715,000 views. The thread itself was locked on July 3rd after reaching 18 pages in length and being inundated with an ever-increasing amount of spam. It is currently unknown if the entire dataset is legitimate.