USA
This article was added by the user . TheWorldNews is not responsible for the content of the platform.

Nearly a billion people in China have leaked personal data and have been online for over a year

(CNN)A large online database that seems to contain the personal information of up to 1 billion Chinese citizens Has been unsecured for over a year-until anonymous users of the Hacker Forum offered to sell their data and gained widespread attention last week.

Leaks could be one of the largest ever recorded, cybersecurity experts say, collecting and storing large amounts of sensitive personal data online. Emphasizes the risks of doing so. And unchecked access to such data.

Since April 2021, a huge amount of personal data in China has been accessed via unsecured backdoor links (shortcut web addresses that anyone with knowledge can access unlimitedly). I was able to access it publicly. LeakIX is a site that discovers and indexes published databases online.

Password-free database access was shut down last week after an anonymous user advertised more than 23 terabytes (TB) of data sold for 10 Bitcoin (about $ 200,000) in a post. At the hacker forum on Thursday.

Users have their databases collated by the Shanghai Police Department with information about 1 billion Chinese, including names, addresses, mobile phone numbers, national ID numbers, ages, hometowns, and civil disputes and crimes. I called the police to report.

A sample of 750,000 data entries from the three major indexes of the database was included in the seller's post. CNN validated the authenticity of more than 20 entries from the sample provided by the seller, but was unable to access the original database.

The Shanghai government and police station did not respond to CNN's repeated written request for comment.

The seller also claimed that the unsecured database was hosted by Alibaba Cloud, a subsidiary of China's e-commerce giant Alibaba. In a statement to CNN, Alibaba said it was aware of the incident and was investigating it.

However, an expert spoken by CNN said the problem was with the data owner, not the company hosting the data.

"At the moment, I think this is the biggest public information leak to date. Indeed, in terms of the breadth of impact in China, we're talking about most of the population here. "Troy Hunt, regional director of Microsoft based in Australia, said.

There are 1.4 billion people living in China. In short, data breaches can affect more than 70% of the population.

"This is a small case where the genie can't go back to the bottle. If the data is there in what it looks like now, you can't go back." Hunt said.

The number of people who have accessed or downloaded the database during the 14 months or more that the database has been published online is unknown. Two Western cybersecurity experts who spoke to CNN said: I knew the database existed before it was released last week, which suggests that people who know where to look can easily discover the database.

Cybersecurity Vinny Troia, a researcher and founder of Shadowbyte, a dark web intelligence company, said he first discovered the database "around January" while searching for open databases online.

"The site I found is public and accessible to anyone. All you have to do is register for an account," Troia said. "Since it opened in April 2021, anyone should have been able to download the data," he added.

Troia said she downloaded one of the main indexes of the database. The index seems to contain information about about 970 million Chinese.

Troy makes sure that open access was an oversight from the database owner or a deliberate shortcut aimed at sharing it among a small number of people. Said it was difficult.

"They either forgot it or intentionally left it open because it was accessible," he said, referring to the authorities responsible for the database. "I don't know why. It sounds very careless."

Unsecured personal data exposed by leaks, breaches, or some form of incompetence is available to businesses around the world. And the increasingly common problem faced by governments, cybersecurity experts remain open.

In 2018, a Florida-based marketing company released nearly 2TB of data that would contain the personal information of hundreds of millions of American adults on a publicly accessible server. I found that I was there.Wired
In 2019, Dutch cybersecurity researcher Victor Gevers will have more than 2.5 million names, national ID numbers and dates of birth in China's westernmost Xinjiang Uygur Autonomous Region. , Found an online database containing location data. According to Reuters

, it has been left unprotected for months by Chinese company SenseNets Technology, but according to cybersecurity researchers, the latest data breaches have potential. Not only the unprecedented amount, but also the confidentiality of the information contained.

A CNN analysis of the database sample found police records of the incident over nearly 20 years from 2001 to 2019. Most of the entries are civil disputes, but there are also records of criminal records ranging from fraud to rape.

In one case, in 2018, a Shanghai resident was summoned by police for using a virtual private network (VPN) to evade a firewall in China and access Twitter. , Politics and leaders.

In another record, the mother called the police in 2010 and accused her father-in-law of raping her 3-year-old daughter.

"Domestic violence, child abuse, all sorts of things can be there. That's far more worrisome to me," said Hunt, Microsoft's regional director.

"This can lead to blackmail. Personal blackmail after a data breach is common. There are also examples of hackers trying to ransom an individual."

The Chinese government has recently stepped up efforts to improve the privacy protection of online user data. Last year, the countrypassed the first Personal Information Protection Act, which sets out the basic rules for how personal data is collected, used and stored. However, experts have raisedconcernswhile the law can regulate tech companies, it can be difficult to enforce if applied to a state in China.

Ukraine-based security researcher Bob Diachenko first accessed the database in April. In mid-June, his company detected that the database was attacked by an unknown malicious attacker. A malicious attacker destroyed and copied the data, leaving a ransom note requesting 10 Bitcoins for recovery.

It's not clear if this was the work of the same person who advertised the sale of database information last week.

According to Diachenko, the ransom note had disappeared by July 1, but only 7 gigabytes (GB) of data was available instead of the originally advertised 23 TB.

Diachenko said it suggests that the ransom has been resolved, but database owners continue to use the published database for storage until it shuts down over the weekend. rice field.

"Maybe there was a junior developer who noticed it and tried to delete the note before the senior management noticed it," he said.