The asking price for the database, which includes several billion case records, is just 10 bitcoin ($202,000). This indicates the seller is someone who happened across the data and is being opportunistic rather than a professional hacker motivated by money. A sample of the data posted in an online forum, and viewed by Bloomberg Opinion, shows records of people across China with names, identification and mobile phone numbers, the original source of the data, and a reference to the first time the details were entered into the record. Chillingly, the database includes fields referring to express delivery and food-order details. This could imply that this data were compiled by police from multiple sources across the country, beyond what law enforcement typically gathers firsthand. Of course, there may be other explanations for such data, too.
Bloomberg Opinion was unable to independently verify the authenticity of the data, yet numerous posts in that same forum indicate that users have checked it and found it to be real. Shanghai authorities haven’t publicly responded to the alleged data breach. Representatives for the city’s police and Cyberspace Administration of China, the country’s internet overseer, did not respond to requests for comment by Bloomberg News.
Whereas hackers seek to penetrate a computer system, possibly using malware and phishing attacks, this breach seems to be far more straightforward. It appears a software developer may have left an access key visible in an online code repository or in a blog post, according to data posted in public forums and social media, and discussions among people familiar with the case but not directly involved. This key is similar to, but functions differently from, a password.
With that key, and a basic understanding of how the database was set up…