A hacker claims to have obtained the personal information of 48.5 million users of a COVID health mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub's data in just over a month.
The hacker with the username "XJP" posted an offer
to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.
The person provided a sample of the data including the phone
numbers, names, Chinese identification numbers, and health code status of 47
people.
Eleven of the 47 reached by Reuters confirmed they were
listed in the sample, though two said their identification numbers were wrong.
Reuters was unable to further verify the authenticity of the hacker's claim.
The true size and nature of these kinds of data hacks is
sometimes overstated by the seller in an attempt to make a quick profit.
"This DB (database) contains everyone who lives in or
visited Shanghai since Suishenma's adoption," XJP said in the post, which
originally asked for $4,850 before
lowering the price later the same day.
Suishenma is the Chinese name for Shanghai's health code
system, which the city of 25 million people established in early 2020 to combat
the spread of COVID-19. All residents and visitors have to use it.
The app collects travel data to give users a red, yellow or
green rating indicating the likelihood of having the virus. The code has to be
shown to enter public venues.
The data is managed by the city government and users can
access Suishenma either by downloading the app or opening it using the Alipay
app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent's
WeChat app.
The Shanghai government, Ant and Tencent did not immediately
respond to requests for comment. XJP declined to comment when reached on Breach
Forums.
"I'm not ready to answer questions yet as I have a lot
more to drop," XJP said.
The purported Suishenma breach comes after a hacker last
month claimed to have procured 23TB of personal information belonging to one
billion Chinese citizens from the Shanghai police.
That hacker also offered to sell the data on Breach Forums.
The first hacker was able to steal data from the police as a
dashboard for managing a police database that had been left open on the public
internet without password protection for more than a year, the Wall Street
Journal reported, citing cyber security researchers.
The newspaper said data was hosted on Alibaba's cloud
platform and Shanghai authorities had summoned company executives over the
matter.
Neither the Shanghai government nor the police nor Alibaba
have commented on the police database matter.
Chinese regulatory bodies have in the past two years
announced a barrage of new rules strengthening oversight over the private
sector's management of user data, after years of complaints by residents about
how their personal data could be easily stolen or sold.
A screenshot of XJP's offer on Breach Forums went viral on
Chinese social media on Friday, prompting several Weibo users to weigh in on
this latest leak and its broader implications, as well as question what sort of
action would be taken.
"Data leaks in China are really no longer uncommon
news," said one. © Reuters
0 comments:
Post a Comment