Record Cyber Breach in China Spurs Eruption in Data for Sale

Since the data of about roughly 1 billion Chinese citizens appeared for sale on a popular dark web forum in June, researchers have observed a surge in other kinds of personal records from China appearing on cybercriminal marketplaces.

In the aftermath of that record leak, an estimated 290 million records about people in China surfaced on an underground bazaar known as Breach Forums in July, according to Group-IB, a cybersecurity firm based in Singapore. In August, one seller hawked personal information belonging to nearly 50 million users of Shanghai’s mandatory health code system, used to enforce quarantine and testing orders. The alleged hoard included names, phone numbers, IDs and their Covid status -- for the price of $4,000.

“The forum has never seen such an influx of Chinese users and interest in Chinese data,” said Feixiang He, a researcher at Group-IB. “The number of attacks on Chinese users may grow in the near future.”

Bloomberg was unable to confirm the authenticity of the datasets for sale on Breach Forums. The website, like other markets where illicit goods are sold, has been home to false advertisements meant to generate attention, as well as legitimate data apparently stolen in security incidents, including an instance where users marketed user information taken from Twitter Inc.

The interest in leaked Chinese data has trained a spotlight on the vast amount of information that government officials collect through Beijing’s sprawling surveillance apparatus. In the summer incident, the unknown hackers claimed to have stolen data of about 1 billion Chinese residents after their discovery of an unsecured Shanghai police database, laying bare significant vulnerabilities in how government agencies store citizens’ information.

Before that episode, there were three China-related databases marketed on Breach Forums, according to Group-IB’s Feixiang He. In July, that number jumped to 17, the firm found. Researchers were unable to confirm the legitimacy of all the information in databases posted that month.

Chinese-speaking users on Breach Forums expressed surprise that data about the country’s citizens was available for sale, according to a Bloomberg News review. The posts were so frequent that a forum administrator asked website visitors to keep posts in the English language. “Please do not send Chinese characters,” they wrote.

In the 10-day period following the apparent Shanghai leak, researchers from San Francisco-based Reposify Ltd. discovered more than 12,700 exposed assets — including web servers and remote access sites — when scanning for software vulnerabilities in Chinese government websites. This also included 1,436 exposed databases, which “could account for millions of potentially accessible data points representing Chinese citizens,” the company said.

The uptick in databases for sale comes in spite of Beijing’s increasingly strict cybersecurity and data privacy standards, which President Xi Jinping has tied closely to national security.

Shanghai authorities and China’s internet regulators haven’t publicly addressed leaks of police and health system data, and discussions of the incidents have been scrubbed by censors from local social media. Shanghai’s government and the Cyberspace Administration of China, the main internet regulator, didn’t respond to multiple faxes requesting comment.

“We can see tens of thousands, more than 20,000 servers in China alone that are completely open,” said Stanislav Pratossov, co-founder of the security firm Acronis International GmbH. “This happens everywhere. In China, I guess, the amount is outrageous just because of the size of the Chinese economy, and the number of servers in China is huge.”

Away from the public view, analysts said, they expect an internal review within the government agencies in question and tighter scrutiny of those involved in data management.

“It doesn’t matter how this plays out, it’s going to shed a bad light on the cybersecurity regime, on institutions that enforce these regulations,” said Michael Frick, a cyber consultant for businesses in China and a published author on the country’s cyber industry.

In the meantime, hackers are readying themselves for more data dumps. One new user on the underground database forum, who claimed to be selling the Shanghai health system data after joining the site in July, alleged that they had more leaked information to share. “In my humble opinion, no amount of cyber security [or] data protection could stop data leaks from ever happening,” the unnamed user wrote.

As for Breach Forums, its administrators offered a pointed reminder in its welcome message to new Chinese users: “We are not in China and we are not Chinese, so we do not have to obey Chinese laws.”