China is rapidly censoring news of the alleged hacking of a Shanghai police database that threatens to expose the personal data of more than 1bn people, in what could be one of the largest-ever leaks of private information.
An anonymous hacker advertised the data on an online cyber crime forum late last month, claiming the full file for sale contained multiple terabytes of details, including names, addresses, IDs, phone numbers and criminal records of more than 1bn Chinese people.
The alleged hack set Chinese social media abuzz for a brief period over the weekend, but by Monday microblogging network Weibo and Tencent’s WeChat had begun to censor the topic.
Hashtags such as “data leak”, “Shanghai national security database breach” and “1 billion citizens’ records leak”, which had amassed millions of views and comments, were blocked on Twitter-like Weibo.
One Weibo user with 27,000 followers said a viral post about the hack had been removed by censors and that she had already been invited by local authorities to discuss the post.
Tencent’s WeChat also appears to have removed the news, including a public post by a well-known cyber security blogger. The post, which was published on the blogger’s public page “JohnDoes loves study”, detailed the implications of the huge data breach. It was no longer accessible on Tuesday.
Chinese search engine Baidu showed few results about the topic, with links that it provided to discussions about the hack on Zhihu inaccessible as of Tuesday.
The hacker, writing under the name ChinaDan, uploaded a description and sample of the data haul to the online forum and named a purchase price: 10 bitcoin, or about $200,000.
While the US frequently accuses Chinese hackers of stealing information about American citizens and probing its networks, Beijing has long denied those claims and asserted that it was instead the country that faced the greatest number of cyber intrusions.
Usually, those leaks remain hidden from the public, as companies and governments across the country prefer to say little about any data losses.
Shanghai authorities did not comment on the alleged data leak. The Shanghai government did not respond to a request for comment and the Cyberspace Administration of China (CAC), which polices the internet in the country and is responsible for data security, did not respond to faxed questions.
The hacker said the stolen information had been retrieved from a private cloud service provided by internet company Alibaba. Alibaba declined to comment.
The veracity of the data remains unclear. Some users writing on the cyber crime forum said the data sample included details on picking up packages, suggesting it could be delivery company information rather than a police database. But the Wall Street Journal reported at least some of the information provided was real.
Changpeng Zhao, chief executive of crypto exchange Binance, wrote on Twitter that the company had detected the hack and speculated that a government developer had inadvertently posted credentials to access the database in an online forum.
The internet in China was once rife with citizens’ personal data for sale. But CAC has largely cleaned this up in recent years, rolling out some of the world’s strictest laws on data security.
Additional reporting by Cheng Leng in Hong Kong and Nian Liu in Beijing