Shanghai city’s COVID health code mobile app is used by 48.5 million people, and a hacker claimed to have obtained their personal information. This is the second time in less than a month that a data breach has been reported in the Chinese financial center.
On Wednesday, the hacker posting as “XJP” offered to sell the data for $4,000 on hacker forum Breach Forums.
A sample of the data, which included the phone numbers, names, Chinese ID numbers and health code status of 47 people, was made available by the hacker.
Of the 47 people Reuters spoke to, eleven verified they were in the sample, but two said their ID numbers were incorrect.
In the article, XJP said that “This database (database) includes everyone who has lived in Shanghai or visited since the adoption of Suishenma”, and he first asked for $4,850 before lowering the price later in the day.
The metropolis of Shanghai, which has a population of 25 million, devised a health code system in early 2020 to stop the spread of COVID-19. This system is known in Chinese as suishenma. Residents and guests are required to use it.
Users must provide the code to enter public areas. The app collects travel data to assign people a red, yellow or green rating reflecting the likelihood of having the virus.
Users can access Suishenma through the Alipay app, owned by financial giant and Alibaba subsidiary Ant Group, as well as Tencent Holdings’ WeChat app. The data is managed by the city administration.
Requests for comment from XJP, the Shanghai government, Ant and Tencent were not immediately met.
Suishenma’s alleged breach came after a hacker claimed early last month that Shanghai police had provided them with 23 terabytes of personal data belonging to one billion Chinese people.
On breach forums, the hacker allegedly made the data available for sale.
According to cybersecurity experts quoted by the Wall Street Journal, the police dashboard for managing a police database has been left exposed on the public internet without password protection for more than a year , which allowed the first hacker to take the data to the police.
According to the tabloid, the data was stored on Alibaba’s cloud platform, and Shanghai officials had called for company executives to appear before them.
The police database issue has not been resolved by the Shanghai government, the police, or Alibaba.