Hacker offers to sell data of 48.5 million users of Shanghai's Covid app

Hacker with username XJP posted offer to sell data for $4,000 on Breach Forums

The hacker provided a sample of the data including the phone numbers, names, identification numbers and health code status of 47 people. AFP
Beta V.1.0 - Powered by automated translation

A hacker claims to have obtained the personal information of 48.5 million users of a Covid health mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub's data in a little more than a month.

The hacker, using the username “XJP”, posted an offer to sell the data for $4,000 on Breach Forums on Wednesday.

The person provided a sample of the data including the phone numbers, names, identification numbers and health code status of 47 people.

Eleven of the 47 people reached by Reuters confirmed they had been listed in the sample, though two said their identification numbers were wrong. Reuters was unable to further verify the authenticity of the hacker's claim.

The true size and nature of these kinds of data hacks is sometimes overstated by the seller in an attempt to make a quick profit.

“This [database] contains everyone who lives in or visited Shanghai since Suishenma's adoption,” XJP said in the post, which originally asked for $4,850 before lowering the price later the same day.

Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people established in early 2020 to combat the spread of Covid-19. All residents and visitors have to use it.

The app collects travel data and gives users a red, yellow or green rating indicating the likelihood of having contracted the virus. The code has to be shown to enter public venues.

The data is managed by the city government and users can access Suishenma either by downloading the app or opening it using the Alipay app, which is owned by FinTech company and Alibaba affiliate Ant Group as well as Tencent Holdings' WeChat app.

The Shanghai government, Ant and Tencent did not immediately respond to requests for comment. XJP declined to comment when reached on Breach Forums.

“I'm not ready to answer questions yet as I have a lot more to drop,” XJP said.

The purported Suishenma breach comes after a hacker last month claimed to have procured 23 terabytes of personal information belonging to one billion Chinese citizens from the Shanghai police.

That hacker also offered to sell this data on Breach Forums.

The first hacker was able to steal data from the police as a dashboard for managing a law enforcement database had been left open on the public internet without password protection for more than a year, The Wall Street Journal reported, citing cyber security researchers.

The newspaper said the data had been hosted on Alibaba's cloud platform and that Shanghai authorities had summoned company executives over the matter.

The Shanghai government, police and Alibaba have yet to comment on the police database issue.

Chinese regulatory bodies have in the past two years announced a barrage of new rules strengthening oversight over the private sector's management of user data after years of complaints by residents of how their personal data could be easily stolen or sold.

A screenshot of XJP's offer on Breach Forums went viral on Chinese social media on Friday, prompting several Weibo users to weigh in on the latest leak and its broader implications, as well as question what sort of action would be taken.

“Data leaks in China are really no longer uncommon news,” said one user.

Updated: August 12, 2022, 5:57 PM