One Billion Chinese Citizens’ Information Leaked in Data Breach

The first signs of the event were in late June. A hacker was using a popular dark web forum to try and sell a database of information for 10 Bitcoins (a little more than $200,000 in value). The size of the database? Around 23 terabytes. That is 23,000 gigabytes of raw information. What information was it?

Personal information of over 1 billion Chinese citizens. That is a billion with a B. That represents about 12% of the human race and over 70% of the population of China. But of course, it leads to questions.

The first one that should be asked is: How legitimate is the data breach? Well, CNN addressed that already. The hacker actually bought advertising space on the forums to whom they were offering the data. The advertisement contained a portion of the information they stole. CNN was able to confirm that at least a good portion of the information displayed was real.

But that leads to another question: What kind of information was it?

According to the hacker themselves, the information was prized from the servers of the Shanghai police department. This is a major city in China with a population of 26 million. Due to being a hub for many government records and servers, a vulnerability in its police department gave the hacker access to tons of data.

Specifically, they were able to find the real names, addresses, mobile phone numbers, national ID numbers, birthplaces, and ages of all of the victims. Naturally, it does not take much effort to cross-reference that much information with people’s faces being posted online by various means as well.

That means the hacker, or anyone who bought the data off of the hacker, could feasibly create a map of most of the Chinese population. It does not take much more effort to find out where those individuals work (most people make that public anyway) and who their associates are.

Many people in this day in age are fully familiar with how much surveillance they are under. But for most of those people, it is hard to get upset by it. After all, what is someone going to do with that information? This is a good question to ask, but you have to be ready for how complex the answer is.

Consider the fact that part of the data leak was the mobile phone numbers of one billion people. What happens if you program a machine to call all one billion of those phone numbers at once? It might not be able to do that. The companies that allow those phones to make calls might not be able to handle that call volume. This might crash the phone company’s infrastructure, but it will more likely do nothing.

But what if instead of calling all of them at once, you call them all in sequence? It would take a while to get through every single one of them (one billion people is quite a lot of phone calls), but simply placing a call is a simple task. You would not need a very complex machine to do it.

And that means you could easily get multiple machines working on the task. Suddenly, thousands of people are getting called every second. It is a small inconvenience, but people are totally reliant on their phones now for a great many tasks. And a small inconvenience multiplied by a billion is a huge problem.

Here’s a follow up question: No matter how small the problem you can create with one billion people’s mobile phone numbers, it would demand a massive solution to that problem. Simply due to the scope of how many people you are inconveniencing, no solution would be easy to implement.

This is not even going into the damage you could do by sending disruptive information to all those people’s addresses, or the fraud you could commit with their names, addresses, and ID numbers.

Companies all around the world are already working to tighten security in the wake of this mess. The CEO of the Chinese cryptocurrency company Binance has issued a statement saying that they are going to reevaluate their security protocols in the interest of protecting their users.

One of the big concerns among all Chinese companies and their subsidiaries is how this affects two-factor authentication. Exposing birthplaces, names, and birthdates gives away more answers to security questions than you might think. And another issue with mobile numbers being leaked is that knowing someone’s mobile number means that you are just a few steps away from intercepting their messages.

Basically, every Chinese user needs to watch out for how they might become a target in the wake of this attack. There is one small problem with that, however.

As was the case when COVID-19 was ravaging Wuhan, the Chinese government has responded by prioritizing hiding the problem before solving it. There is a layer of this that is understandable; after all, hiding the fact that the leak happened is far easier than solving it, meaning hiding it will happen first.

But it does mean that the people who were affected by the data leak do not know they are affected by it. If your password is compromised, you kind of need to change it immediately. You also need to change every similar or same password as well before anyone tries to use that information elsewhere.

The same applies here. One billion people need to take measures to make their online presences safer. But most of them have no idea that they are compromised.

This is probably not the last you will hear about this data leak, as the potential ramifications are massive. After all, plenty of sovereign nations (especially the United States and Russia) would love to know the names and addresses of one billion of the world’s population. 

And if you think this might have affected you, then be sure to change your security questions and passwords. Those are compromised more easily than you would think.