A Hacker Proposes to Sell the Data of 48.5 Million COVID App Users in Shanghai

It is the second time in less than a month that a hacker has claimed to have accessed the personal data of 48.5 million users of a COVID health mobile app managed by the city of Shanghai.

On Wednesday, the hacker posting under the alias “XJP” offered to sell the data for $4,000 on the hacker forum Breach Forums. The person gave a sample of the information, which included 47 people’s phone numbers, names, Chinese identity numbers, and health codes.

Of the 47 people Reuters spoke with, 11 acknowledged they were among the sample, but two claimed their identification numbers were incorrect.

Hacker offers to sell data of 48.5 mln users of Shanghai's Covid app -  VnExpress International
VnExpress International

Reuters was unable to independently confirm the validity of the hacker’s assertion.

Sometimes, in an effort to turn a quick profit, the seller will misrepresent the quantity and nature of these kinds of data thefts.

“This DB (database) comprises everyone who has lived in Shanghai or visited since Suishenma’s adoption,” XJP wrote in the article. The price was eventually reduced to $3,850.

The 25 million-person metropolis of Shanghai implemented the Suishenma health code system in early 2020 to stop the spread of COVID-19. Both locals and guests are required to utilise it.

The software gathers travel information to rate users’ chances of having the virus as red, yellow, or green. To enter public spaces, the code must be shown.

Users can access Suishenma either by installing the app or opening it using the Alipay app, owned by financial powerhouse and Alibaba affiliate Ant Group, and the WeChat app, both of which are owned by Tencent Holdings. The data is managed by the local administration.

Requests for comment from the governments of Tencent, Ant, and Shanghai were not immediately fulfilled. Upon being contacted on the Breach Forums, XJP declined to respond.

I have a lot more to drop, so I’m not ready to answer questions just yet, XJP remarked.

The alleged Suishenma data breach was reported after a hacker last month made the claim that the Shanghai police had given him 23 terabytes of personal data belonging to one billion Chinese individuals.

On breach forums, the hacker allegedly made the data available for sale.

According to the Wall Street Journal, which cited cyber security researchers, the first hacker was able to take information from the police because a dashboard for controlling a police database had been left exposed on the public internet without password protection for more than a year.

According to the tabloid, data was stored on Alibaba’s cloud platform, and Shanghai officials had called business executives to appear before them.

The police database issue has not been addressed by the Shanghai government, the police, or Alibaba.

After years of protests from citizens about how readily their personal information might be stolen or sold, Chinese regulatory organisations unveiled a flurry of new rules increasing monitoring over the private sector’s management of user data in the past two years.

On Friday, a screenshot of XJP’s offer on Breach Forums went widespread on Chinese social media, prompting a number of Weibo users to comment on this most recent leak, its larger implications, and what steps would be taken.

One of them added, “Data leaks in China are really no longer uncommon news.” (Writing by Brenda Goh; Editing by Brenda Goh; Reporting by Eduardo Baptista and the Shanghai newsroom;