Hacker Offers to Sell Data of 48.5 Million Users of Shanghai's COVID App

A hacker claims to have obtained the personal information of 48.5 million users of a COVID health mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub's data in just over a month.

The hacker with the username "XJP" posted an offer to sell the data for $4,000 (roughly Rs. 3,20,000) on the hacker forum Breach Forums on Wednesday.

The person provided a sample of the data including the phone numbers, names, Chinese identification numbers, and health code status of 47 people.

Eleven of the 47 reached by Reuters confirmed they were listed in the sample, though two said their identification numbers were wrong. Reuters was unable to further verify the authenticity of the hacker's claim.

The true size and nature of these kinds of data hacks is sometimes overstated by the seller in an attempt to make a quick profit.

"This DB (database) contains everyone who lives in or visited Shanghai since Suishenma's adoption," XJP said in the post, which originally asked for $4,850 (roughly Rs. 4,00,000) before lowering the price later the same day.

Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people established in early 2020 to combat the spread of COVID-19. All residents and visitors have to use it.

The app collects travel data to give users a red, yellow or green rating indicating the likelihood of having the virus. The code has to be shown to enter public venues.

The data is managed by the city government and users can access Suishenma either by downloading the app or opening it using the Alipay app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent's WeChat app.

The Shanghai government, Ant and Tencent did not immediately respond to requests for comment. XJP declined to comment when reached on Breach Forums.

"I'm not ready to answer questions yet as I have a lot more to drop," XJP said.

The purported Suishenma breach comes after a hacker last month claimed to have procured 23TB of personal information belonging to one billion Chinese citizens from the Shanghai police.

That hacker also offered to sell the data on Breach Forums.

The first hacker was able to steal data from the police as a dashboard for managing a police database that had been left open on the public internet without password protection for more than a year, the Wall Street Journal reported, citing cyber security researchers.

The newspaper said data was hosted on Alibaba's cloud platform and Shanghai authorities had summoned company executives over the matter.

Neither the Shanghai government nor the police nor Alibaba have commented on the police database matter.

Chinese regulatory bodies have in the past two years announced a barrage of new rules strengthening oversight over the private sector's management of user data, after years of complaints by residents about how their personal data could be easily stolen or sold.

A screenshot of XJP's offer on Breach Forums went viral on Chinese social media on Friday, prompting several Weibo users to weigh in on this latest leak and its broader implications, as well as question what sort of action would be taken.

"Data leaks in China are really no longer uncommon news," said one.

© Thomson Reuters 2022