The hacker’s post reportedly began circulating on social media over the weekend. If the listed information is authentic, this could be one of the largest ever data breaches in history. The breach poses significant concerns due to the sensitive nature of the data. Changpeng Zhao, the CEO of Binance, said that the company’s threat intelligence team found the records in question for sale on the dark web. Several news outlets have reached out to the Chinese government and the Shanghai Police for comments. However, the authorities are yet to respond to these requests.
Data on Sale for 10 BTC
According to Reuters, ChinaDan offered to sell over 23 terabytes (TB) of stolen data for 10 BTC (nearly $195,000). The hacker provided a sample of 750,000 records for potential buyers to peruse. While we can’t verify the authenticity of the data set, it includes ID information and police call records, among other things. “In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens,” the hacker’s post allegedly reads. “Databases contain information on 1 Billion Chinese national residents and several billion case records, including: Name, Address, Birthplace, National ID Number, Mobile number, All Crime / Case details.”
Questions Surrounding the Source of the Breach
It is unclear exactly how the threat actor got their hands on the data. The hacker claims the data was taken from a private cloud network belonging to Aliyun. Aliyun is a cloud computing subsidiary of Alibaba, which hosts the Shanghai National Police database. However, in a tweet, Binance’s Zhao said an error by a government developer led to the data breach. “Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials,” Zhao tweeted.
WSJ Reached out to Victims to Verify Leaked Data
The Wall Street Journal contacted several individuals whose numbers were listed to verify the authenticity of the data set. Five people told the Journal that the information most likely came from the police database. Four others simply confirmed the authenticity of the basic information in the files. But many phone numbers were either invalid or no longer available. Troy Hunt, a cybersecurity consultant, told the Wall Street Journal that the hacker may have exaggerated or falsified their claim. He said the sheer volume of the data, along with the fact that the hacker chose to remain anonymous, raises suspicion. According to Zhao, the incident is likely to have a major impact on the cybersecurity defenses of most organizations and digital platforms. He urged all platforms to step up their user authentication mechanisms. According to Zhao, Binance has already taken measures to verify potentially affected users. Victims often face a slew of targeted cyberattacks when their personal information is leaked online. If you found this story interesting, check out our articles on phishing and identity theft to learn how to protect your data from falling into the wrong hands.