A blackhat hacker has claimed to have hacked the information of 48.5 million Shanghai’s Covid-19 app users. On August 10, 2022, the claim was made by a user named “XJP” on the Breach Forums. The alleged actor also posted an offer of $4,000 for potential buyers of the data.
In his post, “XJP” shared a piece of stolen data, including the phone numbers, names, 18-digit Chinese identification numbers, and health code status of citizens. The hacker also shared details of 47 people in the post, and the UK-based news agency “Reuters” confirmed with eleven of the people from the data leak that they were listed in the samples.
Shanghai’s Covid-19 app data leaked
After the alleged leak of the Shanghai public security database, which was recorded with a data breach of one billion Chinese residents, a new hacker named “XJP” has claimed to have access to the personal data of 48.5 million users of Shanghai’s Covid-19 app. The data was obtained from Shanghai’s health code, known as Suishenma.
The data also contained information about people who “live or have visited Shanghai” since the adoption of the QR code system,” as per reports. In the initial post, the hacker asked for $4,850 in exchange for the data but then lowered the price to $4,000 on the same day.
According to a report by the South China Morning Post, among the leaked data of people, a citizen named Feng confirmed that the data had the correct information about him, including his name, health code status, and Chinese Identification code. However, among the other 11 citizens who were cross-checked with the leaked information, two of them said their identification numbers were wrong.
Shanghai Big Data Center Denies Data Leak
Shanghai’s health code, or Suishenma, has been developed by the Shanghai Big Data Center, which assists local authorities in managing the Covid-19 outbreak. It used a classification method, AKA “health code status,” to distinct people with three colors — Red, Yellow, and Green. The resident of Shanghai must come under the green code while using public transport or entering public places.
As this data can be used to determine who was sick or had the potential to become ill with COVID-19, the hackers allegedly tried stealing the data, even though the authorities have denied any such cybersecurity incident. The agency said they were only responsible for the program’s development and rejected any accusation that the data was leaked through them.