A hacker claims to have obtained the personal information of 48.5 million users of the COVID healthcare mobile app operated by the city of Shanghai, the second data breach by the Chinese financial hub in just over a month.
The hacker with the username “XJP” posted an offer to sell the data for $4,000 (about Rs 3,20,000) on hacker forum Breach Forums on Wednesday.
This person provided a sample of data including phone numbers, names, Chinese identification numbers and health code status of 47 people.
Eleven of the 47 people Reuters approached confirmed their names were on the sample, although two said their identification numbers were wrong. Reuters was unable to further verify the authenticity of the hacker’s claims.
The true scale and nature of these types of data attacks are sometimes overstated by sellers looking to make a quick profit.
“This database (database) contains all the people who have lived or visited Shanghai since Suishenma was adopted,” XJP said in the post.
Suishenma is the Chinese name for Shanghai’s health code system, this city of 25 million was established in early 2020 to combat the spread of coronavirus. COVID-19. All residents and visitors must use it.
The app collects travel data to give users a red, yellow or green rating indicating the likelihood of contracting the virus. Codes must be displayed to enter public places.
The data is managed by the city government and users can access Suishenma by downloading the app or opening it with the Alipay app, which is owned by the fintech giant and Alibaba Ant Group affiliate, and TencentWeChat’s app.
Shanghai, Ant and Tencent authorities did not immediately respond to requests for comment. XJP declined to comment when approached on the Infringement Forum.
“I’m not ready to answer the questions yet because I have a lot to go through,” XJP said.
The purported Suishenma breach comes after a hacker last month claimed to have acquired 23TB of personal information of a billion Chinese citizens from Shanghai police.
That hacker also offered to sell the data on the Breach Forum.
The Wall Street Journal quoted cybersecurity researchers as saying that hackers could first steal data from police as a dashboard to manage police databases.
The newspaper said the data is stored on Alibaba’s cloud platform and that Shanghai authorities have summoned company executives over the matter.
Neither the Shanghai government, the police nor Alibaba would comment on the police database issue.
Chinese regulators over the past two years have announced a series of new regulations aimed at increasing scrutiny of the private sector’s management of user data, after years of complaints from citizens about the data. their personal data can be stolen or sold easily.
Screenshots of XJP’s offer on the Breach Forum went viral on Chinese social media on Friday, prompting some Weibo users to weigh in on this latest leak and its broader implications. it, as well as questioning what kind of action should be taken.
“Data leaks in China are really not uncommon news anymore,” one person said.
© Thomson Reuters 2022