Hacker offers to sell data of 48.5 million users of Shanghai’s COVID app

A man wearing protective gear checks his mobile phone at a subway station after the lifting of a lockdown to prevent the spread of the coronavirus disease (COVID-19) in Shanghai, China, June 2, 2022. REUTERS/Aly Song

Register now for free unlimited access to Reuters.com

BEIJING, Aug 12 (Reuters) – A hacker has claimed to have obtained the personal information of 48.5 million users of the Covid Health Code mobile app run by the city of Shanghai, the second claim of a data breach in the Chinese financial hub. More than a month.

A hacker with the username “XJP” posted an offer to sell the data for $4,000 on hacker forum Breach Forums on Wednesday.

The hacker provided a sample of data including phone numbers, names and Chinese identification numbers and health code status of 47 people.

Register now for free unlimited access to Reuters.com

Eleven of the 47 people reached by Reuters confirmed they were listed in the sample, but two said their identification numbers were incorrect.

“This DB (database) includes everyone living or visiting Shanghai since Suishenma was adopted,” XJP said in the post, which asked $4,850 before dropping the price later in the day.

Suishenma is the Chinese name for Shanghai’s health code system, which the city of 25 million people, like all of China, established in the early 2020s to combat the spread of Covid-19. All residents and visitors should use it.

The app collects travel data to give people a red, yellow or green rating indicating the likelihood of having a virus, and requires users to show a code to enter public places.

The data is managed by the city government and users access Suishenma through the Alipay app, owned by the fintech giant and Alibaba. (9988.HK) Affiliated Ant Group, and Tencent Holdings’ (0700.HK) WeChat app.

XJP, the Shanghai government, Ant and Tencent did not immediately respond to requests for comment.

The alleged Sushenma breach comes after a hacker said earlier last month that Shanghai police obtained 23 terabytes of personal information on a billion Chinese citizens.

The hacker also offered to sell the data on the breach forum. Read on

The Wall Street Journal cited cyber security researchers as saying that the first hacker was able to steal data from the police because a dashboard to manage the police database was left open on the public Internet without password protection for more than a year. Read on

The newspaper said the data was hosted on Alibaba’s cloud platform and that Shanghai authorities had summoned company officials over the matter.

Neither the Shanghai government, police nor Alibaba have commented on the police database case.

Register now for free unlimited access to Reuters.com

Reporting by Eduardo Baptista and Shanghai Newsroom; Writing by Brenda Goh; Edited by Robert Birsell

Our Standards: Principles of Thomson Reuters Trust.

Source link

Leave a Comment