An Hacker by the name of XJP is selling 48.5 Million Users’ Data From Shanghai Covid App at $4000 USD
The city of Shanghai’s COVID health code mobile app is used by 48.5 million people, and a hacker has claimed to have gotten their personal information. This is the second time in less than a month that a data breach has been reported in the Chinese financial centre.
On Wednesday, the hacker posting under the alias “XJP” offered to sell the data for $4,000 on the hacker forum Breach Forums.
A sample of the data, which included 47 people’s phone numbers, names, Chinese identity numbers, and health code status, was made available by the hacker.
Of the 47 people Reuters spoke with, eleven verified that they were included in the sample, but two claimed that their identifying numbers were incorrect.
In the article, XJP stated that “This DB (database) comprises everyone who has lived in Shanghai or visited since Suishenma’s adoption,” and he first requested $4,850 before dropping the price later in the day.
The 25 million-person metropolis of Shanghai devised a health code system in early 2020 to stop the spread of COVID-19. This system is known in Chinese as suishenma. Both locals and guests are required to utilise it.
Users must provide the code to enter public spaces. The app gathers travel data to assign persons a red, yellow, or green rating reflecting the likelihood of having the virus.
Users can access Suishenma through the Alipay app, owned by financial behemoth and Alibaba affiliate Ant Group, as well as the WeChat app from Tencent Holdings. The data is handled by the city administration.
Requests for comment from XJP, the Shanghai government, Ant, and Tencent were not immediately fulfilled.
The alleged Suishenma breach was reported after a hacker claimed early last month that the Shanghai police had given them 23 terabytes of personal data belonging to one billion Chinese individuals.
On breach forums, the hacker allegedly made the data available for sale.
According to cyber security experts cited by The Wall Street Journal, the police dashboard for managing a police database was left exposed on the public internet without password protection for more than a year, which allowed the first hacker to take the data from the police.
According to the tabloid, data was stored on Alibaba’s cloud platform, and Shanghai officials had called business executives to appear before them.
The police database issue has not been addressed by the Shanghai government, the police, or Alibaba.