This past week, a hacker by the name of ChinaDan allegedly breached the Shanghai National Police (SHGA) database and has put the nearly 23 TB of data up for sale for 10 bitcoin (BTC), or a little over $200k USD as of this writing. ChinaDan claims the data contains “information on 1 Billion Chinese national residents and several billion case records” including names, addresses, birthplaces, national ID numbers, mobile numbers, and a myriad of data from police reports and criminal cases.
To prove the data haul is legitimate, the hacker provided a sample size of 750k entries from three separate indexes – names, birthdays, and addresses and phone numbers (250k from each). The WatchGuard Security Team has verified the sample data and it appears to be legitimate, although the authenticity of the full database is yet to be verified and the original post on BreachForums, a well-known forum in the hacker community, has been removed. The original post can be seen in the picture below.
If the data provided by ChinaDan turns out to be authentic, this breach could be one of the biggest ever in terms of people affected. The Yahoo! breach is typically designated as the largest breach ever with 3 billion users affected, followed by the arbitrary dump of 2.2 billion usernames in the Collection #1-5 databases in 2019, and then the Aadhaar data breach affecting 1.1 billion Indian citizens. Now, the SHGA data breach could be next on that list.
The first question often asked in a large-scale data breach is: “How did this happen?” Allegedly, the culprit here is a developer error in an ElasticSearch deployment on Alibaba Cloud. A screenshot from a user on the forum shows the endpoint, accessId, and accessKey hardcoded as variables providing evidence of the error and how access was obtained. See the screenshot below.
The data breach doesn’t stop there, though. A few days later, another hacker by the name of CNWang claimed they were inspired by ChinaDan and leaked the Henan National Police (HNGA) database, which they also posted on BreachForums. CNWang claims to have similar data to ChinaDan’s breach – name, age, address, national ID number, and mobile number, but with no police reports or case information. This breach is claimed to have data on 90 million citizens of the Henan province for 1 BTC, or a little over $20k USD at the time of this writing. However, the WatchGuard Security Team has verified the sample data provided and has discovered a few records that overlap with ChinaDan’s. Therefore, the overall number of Chinese citizens possibly affected could be somewhere between 1 billion and 1.09 billion when combining the two breaches. CNWang’s post can be seen below, and is still up as of this writing.
This story is still developing and if any data verification or further breaches occur, this post will be updated to reflect these changes.
As always, if you are a citizen affected by a public data leak, in China or anywhere, you should consider putting a lock on new credit and loans, so identity thieves can’t open or access a new account in your name. You might also consider other personal identity monitoring services. While perhaps unnecessary in this case, you sometimes should consider rotating any passwords associated with breaches, and if you are someone who reuses the same password, that means rotating them all.