On June 30 on a popular underground forum, an actor uploaded a massive amount of data reportedly exfiltrated from the Shanghai National Police (SHGA). This included names, addresses, birthplaces, national IDs, phone numbers and criminal records of 1 billion Chinese citizens—over 70% of China’s total population. The data, 23 TB in total, was advertised for sale for 10 bitcoin ($200,000), and anyone could receive a free sample of 750,000 entries.

Cybersixgill research has picked up on two interesting trends in the weeks following this breach:

  1. There has been a significant increase in the quantity of Chinese-language activity on this predominantly English-speaking forum. 
  2. Subsequently there has been a notable rise in data leaks of Chinese entities shared on the forum.

Increased Chinese activity

Shortly after the Shanghai police breach was shared, some threat actors complained about a massive uptick in Chinese users active on the forum as a consequence of the data leak.

The new Chinese members seem to be interested in a wide variety of what the forum has to offer, including data leaks, streaming accounts, adult content, hacking courses, and cracking tools.

The overflow of the new Chinese users, however, had made some of the veteran forum actors concerned that their Chinese counterparts would overwhelm the forum. Some even suggested banning the Chinese threat actors for “disturb[ing] the original order.”

This tense situation compelled the forum administrator to address the leak in a message written both in English and Chinese called “a letter to our Chinese users.” In the post, the administrator explained that the Shanghai police breach was no longer being sold, and that the communication in the forum is to be in English only.

In the administrator’s own words, the Shanghai breach attracted a new Chinese following to the forum. Simply put, good content brought new readers.

Within the Chinese internet, the Shanghai police breach had also a fair amount of attention. Since it was published, the post has been widely discussed on China’s Weibo and WeChat social media platforms over the weekend, with many users worried it could be real. The hashtag “Shanghai data leak” was blocked on Weibo by Sunday afternoon (3/7), but there are still a few discussions on Chinese social media about this incident.

As of time of publication, the Chinese government has not publicly commented on the matter. However, the forum became inaccessible from within China, which indicates that the government is aware of breach and considers it to be severe.

 

However, the Chinese authorities took actionable decisions in China to investigate the matter. Chinese authorities reportedly summoned Alibaba’s Executives to investigate this historic data theft, as Alibaba’s cloud platform allegedly hosted the Shanghai’s police database and used outdated systems, making it easier for the hackers to access the data. Researchers said a dashboard for managing the database had been left open on the public internet without a password for more than a year.

 

Increased Chinese Data Leaks

In the weeks following the Shanghai police breach, Cybersixgill observed a sudden spike of data leaks of Chinese entities shared on this underground forum. From March through June, there were an average of 14 monthly leaks from Chinese entities. However, in the first 15 days of July there were 25 leaks, setting a pace for 52, far exceeding the pre-breach average.

This anomaly may be related to the Shanghai breach in three ways:

First, the massive size of the breach and the high asking price for the data may have indicated that Chinese databases are highly valued, so other actors jumped on the bandwagon and shared data, hoping to gain both a reputation boost and money.

Second, the newly registered Chinese members may have thought this forum to be a new venue on which to share their domestic database leaks. Some evidence points to this: For example, in the post below, a Chinese threat actor, who registered to the forum in July 2022, shares a leaked police database from 2016 as a “meeting gift.”

Finally, we must consider that it is likely the Shanghai Police breach led to additional breaches. That is, personal and sensitive data contained within the free sample of 750,000 entries could have been keys to hacking and social engineering attacks to extract information from additional databases.

 

Conclusion

The data compromised in the massive breach of the Shanghai National Police exposed the personal information of one billion Chinese citizens. This major breaching event led to subsequent breaches of other Chinese entities, either directly, by providing the data needed to access more data, or indirectly, by encouraging copycats. 

Either way, now that the data is out, it can be used in cyberattacks, social engineering campaigns, and other malicious activities. We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time.

Moreover, the fact that this breach attracted increased Chinese participation in an English-speaking forum is notable, as the Chinese and English underground are generally separate communities. It is worth following up on this incident, to gage if it leads to increased communication and collaboration between these two groups.