Hacker Claims Theft Of 1 Billion Police Records In China's Largest Data Breach Ever
Earlier this year, multiple US law enforcement agencies completed a joint operation with authorities from the United Kingdom, Europol, Portugal, Germany, Sweden, and Romania. This coordinated police action, dubbed Operation TOURNIQUET, culminated in the seizure of the RaidForums domain names, as well as the arrest of the website’s founder and administrator. RaidForums was a popular hub of cybercriminal activity where users shared stolen data. Over the site’s seven year run, its users exchanged databases containing a total of over 10 billion unique records, including 47 million T-Mobile records that the company tried to buy back.
By taking down RaidForums and arresting its founder, the Department of Justice hoped to disrupt the illegal sale of stolen information online. However, shortly after RaidForums went offline, a new site known as Breach Forums appeared on the web, presenting itself as a successor to RaidForums and sporting almost identical visual design. The new site’s users have wasted no time sharing databases containing all the information previously shared on RaidForums, as well as newly stolen information. Now, Breach Forums looks to be home to China’s largest data breach.
By taking down RaidForums and arresting its founder, the Department of Justice hoped to disrupt the illegal sale of stolen information online. However, shortly after RaidForums went offline, a new site known as Breach Forums appeared on the web, presenting itself as a successor to RaidForums and sporting almost identical visual design. The new site’s users have wasted no time sharing databases containing all the information previously shared on RaidForums, as well as newly stolen information. Now, Breach Forums looks to be home to China’s largest data breach.
Late last week, a Breach Forums user by the name of “ChinaDan” posted to the website claiming to posses a recently leaked copy of the Shanghai National Police database. According to the post, the database contains the personal information of 1 billion Chinese nationals, along with several billion case records. The personal information includes the following:
- Name
- Address
- Birthplace
- Age/birthday
- Sex
- Height
- National ID number
- Phone number
- All criminal activity and cast details
ChinaDan listed the entire database for sale at a price of 10 Bitcoin, which amounts to $204,280 at the time of writing. The post started what has quickly become the website’s most viewed thread, with over 680,000 views, leading the moderators to lock the thread, citing spam. While the thread was still active, some Breach Forums users have questioned the authenticity of the data, asking why such a valuable trove of data is listed for a relatively low price. Nonetheless, at least some of the data appears to be real.
The forum post includes a download link for a significant chunk of sample data, and Karen Hao, a reporter for the Wall Street Journal, tried calling some of the numbers listed in the sample data. She was able to talk to nine different people who confirmed the exact information listed in the data set. Changpeng Zhao, CEO of Binance, also stated on Twitter that his company’s threat intelligence has detected 1 billion resident records for sale online and speculated that the data leak was likely the result of a bug in an Elastic Search deployment used by a government agency. The CEO announced that Binance has stepped up its user verification process for potential victims of the data leak and urged all other platforms to enhance their security measures as well.
The forum post includes a download link for a significant chunk of sample data, and Karen Hao, a reporter for the Wall Street Journal, tried calling some of the numbers listed in the sample data. She was able to talk to nine different people who confirmed the exact information listed in the data set. Changpeng Zhao, CEO of Binance, also stated on Twitter that his company’s threat intelligence has detected 1 billion resident records for sale online and speculated that the data leak was likely the result of a bug in an Elastic Search deployment used by a government agency. The CEO announced that Binance has stepped up its user verification process for potential victims of the data leak and urged all other platforms to enhance their security measures as well.
A day later, Zhao followed up with a tweet saying that a government developer wrote a blog post on the Chinese Software Developer Network (CSDN) that exposed his login credentials for a government database. The blog post includes multiple lengthy code snippets, and the developer studiously removed his login credentials and the server URL from the snippets, excepting one instance, where the information remains available for public viewing.
If the actor responsible for the data breach used these login credentials to access a government database and exfiltrate data, it’s almost surprising that the data breach didn’t occur earlier. The blog post dates back to August 2020, meaning the login information has been exposed for almost two years now. It’s possible that other actors may have used these same login credentials to surreptitiously access a government database in the past, but never attempted to exfiltrate such a large database.
If the actor responsible for the data breach used these login credentials to access a government database and exfiltrate data, it’s almost surprising that the data breach didn’t occur earlier. The blog post dates back to August 2020, meaning the login information has been exposed for almost two years now. It’s possible that other actors may have used these same login credentials to surreptitiously access a government database in the past, but never attempted to exfiltrate such a large database.
We have yet to see whether ChinaDan does actually possess a recently obtained database containing the personal information and police records of 1 billion Chinese residents, but, if the Breach Forum user is telling the truth, this data breach would be the largest in China’s history.
