Blog post

Government developer leaves database credentials on old blog post, potentially causing biggest data breach in history

The private data of one billion Chinese citizens was briefly put up for sale on a hacking forum in what is believed to be the biggest personal data leak in history. The post offering the database for sale appears to have been removed from the Breach forum pages, which could suggest it was completely untrue or dangerously true.

The files were said to have been extracted from the Shanghai National Police archives and, in addition to containing the personal information of a billion people, they also contained several billion individual records.

According to the original post, archived by HotHardware (opens in a new tab)the data included the names, addresses, birthdays, identification numbers of these individuals, details of any criminal activity and their telephone numbers.

The latter is an important potential proof of the veracity of the proposed data. Two Wall Street Journal (opens in a new tab) The writers, Karen Hao and Rachel Liang, spent time calling Chinese nationals listed in a sample upload of 750,000 records that the hacker put up on the forum as evidence. Reporters downloaded the sample and called a bunch of phone numbers expecting them to be fake.

‘We’re all running naked,’ said one of the victims when called and confronted with the leak of their personal data; a popular slang expression used in China for a notorious lack of privacy.

Of the dozens they called, “nine retrieved and confirmed exactly what the data said,” Hao wrote on Twitter.

See more

“I was really stunned when the first person picked up – I truly believed it was all wrong. By the third I was shaking – both from the nerves of trying to explain why I had their extremely private information and weight to realize what this leak could mean to so many people.”

Hao and Liang note that several of the numbers they tried to call were invalid or no longer in service, but that mobile phone users in China are more likely to change numbers every few years than in other countries. other countries.

The database was on sale for the paltry sum of 10 bitcoins, which translates to around $200,000 at the moment, which isn’t that much for the biggest data breach of all time.

The WSJ report notes that Zhao Changpeng, CEO of crypto exchange, Binance, tweeted that his threat intelligence had detected the sale on “the dark web” and was improving his own security accordingly.

See more

Zhao went on to detail that the source of the hack could have been a government developer writing on a tech blog and accidentally revealing the database credentials in lines of code published in 2020.

Following this leak, another post, supposedly by a police officer in China, on Breach Forums promises more police database dumps “inspired by the recent event in Shanghai” with an initial database from 2016 published. as a “reunion gift”.

Breach Forum is the spiritual successor to RaidForums, which was dismantled in a joint international operation (opens in a new tab) where the site’s founder and main administrator, Diogo Santos Coelho, was arrested and charged in the UK.

Source link