A hacker has claimed to have stolen the personal information of 1 billion Chinese citizens from a Shanghai police database, in what would amount to one of the biggest data breaches in history if found to be true.
The anonymous hacker, identified only as “ChinaDan”, posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000 (£165,000).
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizen,” the post said.
“Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
The identity of the hacker is not clear. The Guardian was unable to verify the authenticity of the post, and several numbers in the sample database were no longer in use when contacted by the Guardian.
Officials in China have yet to respond to the alleged data hack as of Monday.
Yi Fu-Xian, a senior scientist at the University of Wisconsin-Madison, said he had downloaded the sample data available on the internet and found information related to his home county in Hunan province.
“The data contained information about almost all the counties in China, and I have even discovered data related to a remote county in Tibet, where there are only a few thousand residents,” he said, adding that the demographic trend extracted from the data “is worse than the officials have reported”.
China has in recent years seen a number of data leak incidents. In 2016, sensitive informationabout powerful Chinese individuals, including the founder of Alibaba, Jack Ma, was posted on Twitter.
These incidents alarmed the Chinese authorities. Last year, China passed laws governing how personal information and data generated within its borders should be handled.
Over the weekend, ChinaDan’s post has been widely discussed on China’s Weibo and WeChat social media platforms over the weekend, with many users worried it could be real.
The hashtag “Shanghai data leak” was blocked on Weibo by Sunday afternoon, but there are still a few discussions on Chinese social media about this incident. Users expressed shock and dismay, with some saying they were now “transparent human beings”.
Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China, said in a post on Twitter it was “hard to parse truth from rumour mill”.
If the material the hacker claimed to have came from the ministry of public security, it would be bad for “a number of reasons”, Schaefer said. “Most obviously it would be among biggest and worst breaches in history.”
Zhao Changpeng, CEO of Binance, said on Monday the cryptocurrency exchange had stepped up user-verification processes after the exchange’s threat intelligence detected the sale of records belonging to one billion residents of an Asian country on the dark web.
He wrote on Twitter that a leak could have happened due to “a bug in an elastic search deployment by a (government) agency”, without saying if he was referring to the Shanghai police case.
The claim of a hack comes as China has vowed to improve protection of online user data privacy, instructing its tech giants to ensure safer storage after public complaints about mismanagement and misuse.