Vast Leaked Cache of Chinese Police Files Offered for Sale ⇥ wsj.com

Karen Hao and Rachel Liang, Wall Street Journal:

The cache allegedly includes billions of records stolen from police in Shanghai, containing data on one billion Chinese citizens, according to a post advertising its availability that was published on Thursday by the hacker on a popular online cybercrime forum. The post, which began circulating on social media over the weekend, put the price for the leak at 10 Bitcoin, or roughly $200,000.

[…]

While the scope of the data leak remains unconfirmed, reporters verified several of the records in the leak by calling people whose numbers were listed. Five people confirmed all of the data, including case details that would be difficult to obtain from any source other than the police. Four more people confirmed basic information such as their names before hanging up.

Take the numbers here with a grain of salt. The alleged amount of information here is so vast that a difference of a single-digit percentage either way would mean tens of millions of people. If this database ends up being records of, say, hundreds of millions instead of a billion, it is still huge but it would be significant.

Yesterday, “lz__233” tweeted evidence of database credentials disclosed in a CSDN user’s since-deleted technical post. Regardless of whether that played a role in this staggering disclosure, it is enough to make anyone wonder if it is just a matter of time before the leak of any given massive data set. These are the kinds of records you would imagine are more carefully protected — in theory — than an average web service.

Update: It appears the disclosed database credentials likely had nothing to do with this leak. Hao and Liang, in a followup Journal article:

The Shanghai police records — containing the names, government ID numbers, phone numbers and incident reports of nearly 1 billion Chinese citizens — were stored securely, according to the cybersecurity experts. But a dashboard for managing and accessing the data was set up on a public web address and left open without a password, which allowed anyone with relatively basic technical knowledge to waltz in and copy or steal the trove of information, [cybersecurity experts] said.

Breathtaking incompetence, but I would bet this is more common than you might believe. Clever attacks — like 2020’s Solarwinds breach — are more attention-grabbing, but there are many examples of entirely unsecured control panels, server passwords and databases.