Hacker offers to sell data of 48.5 million Shanghai Covid app users

The hacker provided a sample of data from 47 Chinese. (Representative)


A hacker claimed to have obtained the personal information of 48.5 million users from a COVID health code mobile app run by the city of Shanghai, the Chinese financial hub’s second data breach complaint in just over one month.

The hacker whose username is “XJP” posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.

The hacker provided sample data, including phone numbers, Chinese names and ID numbers, and health code status of 47 people.

Eleven of the 47 contacted by Reuters confirmed they were in the sample, although two said their ID numbers were wrong.

“This database (database) contains everyone who lives in or has visited Shanghai since the adoption of Suishenma,” XJP said in the post, which initially asked for $4,850 before dropping the price later in the day. .

Suishenma is the Chinese name for Shanghai’s health code system, which the city of 25 million, like many others in China, established in early 2020 to combat the spread of COVID-19. All residents and visitors must use it.

The app collects travel data to give people a red, yellow or green rating indicating the likelihood of having the virus and users must show the code to enter public places.

The data is managed by the city government, and users access Suishenma through the Alipay app, owned by fintech giant and Alibaba subsidiary Ant Group, and Tencent Holdings’ WeChat app.

XJP, the Shanghai government, Ant and Tencent did not immediately respond to requests for comment.

Suishenma’s alleged breach comes after a hacker said early last month that he obtained 23 terabytes of personal information belonging to one billion Chinese citizens from Shanghai police.

This hacker also offered to sell the data on the Breach forums.

The Wall Street Journal, citing cybersecurity researchers, said the first hacker was able to steal police data because a dashboard for managing a police database was left open on the public internet without password protection for more than one year.

The newspaper said the data was hosted on Alibaba’s cloud platform and authorities in Shanghai had summoned company executives about it.

Neither the Shanghai government, nor the police, nor Alibaba have commented on the police database matter.

(Except for the title, this story has not been edited by NDTV staff and is published from a syndicated feed.)

Jennifer C. Burleigh