The Shanghai police records—containing the names, government ID numbers, phone numbers and incident reports of nearly 1 billion Chinese citizens—were stored securely, according to the cybersecurity experts. But a dashboard for managing and accessing the data was set up on a public web address and left open without a password, which allowed anyone with relatively basic technical knowledge to waltz in and copy or steal the trove of information, they said.
“That they would leave this much data exposed is insane,” said Vinny Troia, founder of dark web intelligence firm Shadowbyte, which scans the web for unsecured databases and found the Shanghai police database in January.
The database stayed exposed for more than a year, from April 2021 through the middle of last month, when its data was suddenly wiped clean and replaced with a ransom note for the Shanghai police to discover, according to Bob Diachenko, owner of the cybersecurity research firm SecurityDiscovery, which similarly found the database—and later the note—through its periodic web scans earlier this year.
“your_data_is_safe,” the ransom note read, according to screenshots provided by Mr. Diachenko. “contact_for_your_data…recovery10btc,” meaning the data would be returned for 10 bitcoin, roughly $200,000.
Join the conversation as a VIP Member