Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens

A prominent Chinese tech CEO has cited human error as the likely reason hackers got their hands on the personal data of 1 billion people in China from a Shanghai police database and then put some of it up for sale on illicit online markets.

A government developer wrote a blog post on the China Software Developer Network (CSDN) that accidentally included the credentials to the system where the data was stored, Zhao Changpeng, CEO of cryptocurrency exchange Binance, said on Twitter Monday. CSDN is one of the largest developer networks in China.

“Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials,” Changpeng, who goes colloquially and on Twitter by the moniker “CZ,” wrote in the tweet. His post included a screenshot of the offending code that was included in the blog post.

Previously, Changpeng had tweeted that his company’s threat intelligence team detected 1 billion Chinese resident records for sale on the dark web, citing the “likely” culprit for the leak  “a bug in an Elastic Search deployment by a gov agency.” In response to the breach, Binance stepped up its user verification processes, he said.

Indeed, numerous news outlets reported Tuesday that an anonymous hacker or hacking group going by the username “ChinaDan” put up for sale last week 23 terabytes of stolen data—including names, addresses, birthplaces, national IDs, phone numbers and criminal case information of Chinese citizens—on Breach Forums, a popular cybercriminal forum. The unknown actors were asking for 10 bitcoin, or about $200,000, for the data cache.

With multiple sources confirming that the data appears to be legit, the news caused a massive stir across the security industry, with experts calling it the largest cybersecurity breach in not just the country’s history, but perhaps ever.

“If ChinaDan is telling the truth, then this is one of the biggest data breaches in history, and it was caused by poor password management,” observed Josh Stahl, security operations center analyst at BreachQuest, an incident-response security firm, in an email to Threatpost.

The upside, if there is one, is that the root cause of the breach does not indicate “some new exploit or stealthy malware, but a simple oversight of credential management,” he noted.

Human Error in Play

Indeed, the breach again shines a light on the most persistent security issue since the inception of computers and the internet—human error. In fact, an annual report on data breaches by Verizon–the 2022 Data Breach Investigations Report (DBIR)—cited the “human element” as responsible for 82 percent of the breaches analyzed by researchers, with 13 percent directly attributed to human error.

Since people overseeing sensitive data still can’t seem to be trusted to protect it, the incident once again demonstrates that companies need to take numerous steps beyond password-protecting systems that store data to ensure that it doesn’t fall into the wrong hands, noted a security professional.

“This is the end result of a catastrophic failure to implement basic password management and secrets management,” Craig Lurey, CTO and co-founder at cybersecurity software firm Keeper Security, told Threatpost in an email. “Secrets such as database credentials should never be hard-coded into source code, which is what caused the breach.”

He suggested that enterprise password managers enable organizations to establish strict, deliberate role-based access control (RBAC), along with privileged access to infrastructure, to protect sensitive data and secrets.

Another security expert advised organizations to establish a layered defense and behavior detection model to prevent human error from causing potentially catastrophic data leaks.

“Organizations should establish processes to continuously identify, prioritize and remediate gaps in their security monitoring and threat coverage to detect anomalous activity,” Michael Mumcuoglu, CEO and co-founder at threat coverage optimization firm CardinalOps, observed in an email to Threatpost.

Flipping the Script

The incident also appears to flip the script on China, a country well known as one of the biggest perpetrators of cybercrime–state-sponsored and otherwise.

Typically China tends to be the actor behind cybercriminal activity, not the victim of it—although admittedly it’s difficult to know how often Chinese citizens themselves are targeted cybercrime due to lack of transparent reporting mechanisms in that country about such activity, experts said.

But in a country with a government that notoriously collects mountains of data about its own citizens while imposing tight restrictions on what data and internet resources they themselves can access and use, it’s not surprising that some of this data would eventually fall into criminals’ hands.

And there already is precedence for high-profile data leaks that expose the personal data of Chinese citizens. In 2020, for example, sensitive data of around 2 million members of the Communist Party of China (CPC) were leaked, including official records as well as info related to their activity in global organizations.

So far, Shanghai authorities have not publicly responded to the latest data breach, nor are they responding to requests for comment, according to reports.