Hacker claims access to Shanghai Covid app, threatens to sell data to millions of users

Hacker claims to have hacked into Shanghai’s Covid app and stolen users’ personal data on it

According to a Reuters report, a cybercriminal by the name of XJP took to the hacker forum Breach Forums, to announce a database containing sensitive information about 48.5 million users.

The database was taken from “Suishenma”, the Chinese name for Shanghai’s health code system, which has been used by all residents and visitors to the city since early 2020. The hacker first demanded $4,850 for the database, but then reduced the offer to $4,000.

“This database (database) contains everyone who lives in or has visited Shanghai since the adoption of Suishenma,” the announcement reads.

Authentic samples

According to the report, the hacker released a small sample, including data on 47 people, as proof of his claims. The sample contained the names, Chinese ID numbers, telephones and health code statuses of these individuals. The publication found 11 people confirming the authenticity of their information, although two added that their ID numbers were wrong.

Suishenma has been mandatory for all residents (about 25 million people) and visitors to Shanghai since early 2020. It collects travel data and then codes users based on their risk of catching the virus. Users must then show the code each time they enter public places.

Users access Suishenma through the Alipay app, Reuters added, indicating that the city government manages the data entering the application. At this time, none of the parties involved were ready to comment.

Chinese authorities are facing the second major data breach in two months, after a threat actor leaked what appears to be sensitive data on one billion Chinese people. This database has also been put up for sale on the Breach forums.

  • Here is our overview of the free and paid options for the best firewall (opens in a new tab) software to stay protected online

Going through: Reuters (opens in a new tab)

Jennifer C. Burleigh