Massive data leak exposes over eight billion Chinese to ID theft risk

New information regarding a data leak incident that occurred last year in China reveals that an unsecured Elasticsearch cluster exposed at least 8.7 billion identity records within a period of three weeks.

Cybernews reports that its researchers, early last month, found one cluster containing 163 indices with 8.7 billion records of different data types, stored on a bulletproof hosting platform which suggests that there might have been malicious intent. Ukrainian cybersecurity researcher Bob Diachenko is said to be part of the team that made the discovery.

With the nature of the cluster, Cybernews states that the incident was more of an intentional data aggregation as the scale and structure of the leak suggest data was compiled from multiple sources over a period of time.

Per the outlet, the exposed data was categorized into four main types. It included identity card numbers of citizens, biographical information such as name, gender and dates of birth of victims, home addresses and mobile numbers, plain text passwords, business information records and social media account details, among others.

Before this 8.7 billion data records discovery, Cybernews had last year reported on the same incident, with the number of records reportedly affected at the time put at more than four billion. The leak included financial data and social media identifiers of Chinese citizens.

The leaked data, discovered early this year, was also reported to have remained publicly accessible for around three weeks before being taken offline on January 26, a situation that exposed victims to high risks of identity fraud and account takeovers as malicious actors could scrape the data for their nefarious activities.

This incident is part of a pattern of major data leaks in China seen over the years. In 2022, for instance, a hacker claimed that he had stolen data containing the records of about a billion Chinese citizens including national ID and telephone numbers, and offered to sell the data for an estimated $200,000.

Article Topics

China  |  cybersecurity  |  data protection  |  identity document  |  national ID