Skip to main content

Government developer leaves database credentials on an old blog post potentially causing the largest data hack in history

Some code in purple and white whooshing away from the screen.
(Image credit: Negative Space)
Audio player loading…

The private data for 1 billion Chinese citizens was briefly put up for sale on a hacking forum, which would represent the largest leak of personal data in history. The post offering the database for sale seems to have been removed from the Breach Forum pages, which could either suggest that it was completely bogus or dangerously true.

The files were allegedly retrieved from the Shanghai National Police archive and, as well as containing the personal information of 1 billion residents, it also contained several billion individual case files.

According to the original post, archived by HotHardware (opens in new tab), the data included those individuals' names, addresses, birthdays, ID numbers, details of any criminal activity, and their phone numbers. 

That last is important potential evidence of the veracity of the data on offer. Two Wall Street Journal (opens in new tab) writers, Karen Hao and Rachel Liang, spent time calling around Chinese nationals listed in a download sample of 750,000 records that the hacker put up on the forum as proof. The journalists downloaded the sample and called a bunch of the phone numbers expecting them to be fake.

"We are all running naked," said one of the victims when called and confronted with the leak of his personal data; a popular slang phrase used in China for a noted lack of privacy.

Of the dozens they called "nine picked up and confirmed exactly what the data said," writes Hao on Twitter.

See more

"I was truly stunned when the first person picked up—I really believed the whole thing to be fake. By the third, I was shaking—both from the nerves of trying to explain why I had their extremely private information and the weight of realizing what this leak could mean for so many."

Hao and Liang note that several of the numbers they tried calling were either invalid or no longer in service, but that mobile phone users in China are more likely to change their numbers every few years than in other countries.

The database was up for sale for the paltry sum of 10 bitcoin, which translates to around $200,000 at the moment, which isn't that much for the biggest data breach of all time.

The WSJ report notes that Zhao Changpeng, CEO of crypto exchange, Binance, tweeted that its threat intelligence had detected the sale on "the dark web" and was improving its own security as a result.

See more

Zhao followed up detailing that the source of the hack could have come from a government developer writing on a tech blog and accidentally revealing the credentials of the database in published lines of code back in 2020.

Following this leak another posting, supposedly by a policeman in China, on Breach Forums promises further police database dumps "inspired by the recent Shanghai event" with an initial 2016 database posted as a "meeting gift."

Breach Forum is the spiritual successor to RaidForums, which was taken down in a joint international operation (opens in new tab) where the site's founder and main admin, Diogo Santos Coelho, was arrested and charged in the UK.

(opens in new tab)


Best SSD for gaming (opens in new tab): The best solid state drives around
Best PCIe 4.0 SSD for gaming (opens in new tab): Speedy drives
The best NVMe SSD (opens in new tab): Slivers of SSD goodness
Best external hard drives (opens in new tab): Expand your horizons
Best external SSDs (opens in new tab): Fast, solid, and portable

Dave has been gaming since the days of Zaxxon and Lady Bug on the Colecovision, and code books for the Commodore Vic 20 (Death Race 2000!). He built his first gaming PC at the tender age of 16, and finally finished bug-fixing the Cyrix-based system around a year later. When he dropped it out of the window. He first started writing for Official PlayStation Magazine and Xbox World many decades ago, then moved onto PC Format full-time, then PC Gamer, TechRadar, and T3 among others. Now he's back, writing about the nightmarish graphics card market, CPUs with more cores than sense, gaming laptops hotter than the sun, and SSDs more capacious than a Cybertruck.