Hacker offers to sell data of 48.5 million users of Shanghai's COVID app
The hacker with the username as "XJP" posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.
By Reuters | Updated:
ETtech
A hacker has claimed to have obtained the personal information of 48.5 million users of a COVID health code mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub's data in just over a month.
The hacker with the username as "XJP" posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.
The hacker provided a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.
Eleven of the 47 reached by Reuters confirmed that they were listed in the sample, though two said their identification numbers were wrong.
"This DB (database) contains everyone who lives in or visited Shanghai since Suishenma's adoption," XJP said in the post, which originally asked for $4,850 before lowering the price later in the day.
Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people, like many across China, established in early 2020 to combat the spread of COVID-19. All residents and visitors have to use it.
The app collects travel data to give people a red, yellow or green rating indicating the likelihood of having the virus and users have to show the code to enter public venues.
The data is managed by the city government and users access Suishenma via the Alipay app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings' WeChat app.
XJP, the Shanghai government, Ant and Tencent did not immediately respond to requests for comment.
The purported Suishenma breach comes after a hacker early last month said they had procured 23 terabytes of personal information belonging to one billion Chinese citizens from the Shanghai police.
That hacker also offered to sell the data on Breach Forums.
The Wall Street Journal, citing cyber security researchers, said the first hacker had been able to steal the data from the police as a dashboard for managing a police database had been left open on the public internet without password protection for more than a year.
The newspaper said data was hosted on Alibaba's cloud platform and Shanghai authorities had summoned company executives over the matter.
Neither the Shanghai government, nor police nor Alibaba have commented on the police database matter.
The hacker with the username as "XJP" posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.
The hacker provided a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.
Eleven of the 47 reached by Reuters confirmed that they were listed in the sample, though two said their identification numbers were wrong.
"This DB (database) contains everyone who lives in or visited Shanghai since Suishenma's adoption," XJP said in the post, which originally asked for $4,850 before lowering the price later in the day.
Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people, like many across China, established in early 2020 to combat the spread of COVID-19. All residents and visitors have to use it.
ADVERTISEMENT
The app collects travel data to give people a red, yellow or green rating indicating the likelihood of having the virus and users have to show the code to enter public venues.
The data is managed by the city government and users access Suishenma via the Alipay app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings' WeChat app.
XJP, the Shanghai government, Ant and Tencent did not immediately respond to requests for comment.
The purported Suishenma breach comes after a hacker early last month said they had procured 23 terabytes of personal information belonging to one billion Chinese citizens from the Shanghai police.
ADVERTISEMENT
That hacker also offered to sell the data on Breach Forums.
The Wall Street Journal, citing cyber security researchers, said the first hacker had been able to steal the data from the police as a dashboard for managing a police database had been left open on the public internet without password protection for more than a year.
ADVERTISEMENT
The newspaper said data was hosted on Alibaba's cloud platform and Shanghai authorities had summoned company executives over the matter.
Neither the Shanghai government, nor police nor Alibaba have commented on the police database matter.
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
Related Articles
Not Elon Musk, not a tech mogul; DOGE’s interim leader is a former COVID data architect and a mother of two; here's all about her2025-02-26T15:28:31Z- China pushes back at WHO criticism over delayed Wuhan Covid data2023-04-09T17:52:35Z
- 5 instances that prove China is fudging its Covid data2023-01-09T17:09:56Z
ADVERTISEMENT
