Hacked Shanghai police database didn't let users set a password
Alibaba infrastructure was outdated and led to breach, report claims
A recently-stolen database holding personally identifiable information on a billion Chinese citizens had been sitting online, unprotected by any credentials, and available for anyone who knew where to look, reports have claimed.
The Wall Street Journal has said an investigation is currently underway to determine the circumstances leading up to the breach. Allegedly, the Alibaba cloud platform used by the Shanghai police department was outdated in such a manner that even setting up a password for the database wasn’t an option.
These findings would be in line with what the media initially reported, when cybersecurity researchers pointed the finger at third-party cloud infrastructure partners such as Alibaba, Huawei, or Tencent.
Database for sale
The WSJ also stated that the representatives of the Chinese cloud giant were called in for talks with the investigators, including the company’s Vice President, Chen Xuesong. Both parties are yet to comment.
Unknown cybercriminals had sought to sell the huge database, which allegedly contained people’s names, government ID numbers, as well as phone numbers, on the dark web. Furthermore, the database held records of crimes reported to the police department, with some of the data even belonging to minors.
The criminals advertising the database were asking for 10 bitcoin, or roughly $200,000, in return for the data.
This type of data is in high demand among cybercriminals, as it allows them to engage in all kinds of fraudulent activities, from identity theft, to phishing, to payment fraud, and many, many more.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After news of the theft broke out, Alibaba disabled all access to the database, the publication added, further stating that its engineers started inspecting the related code, but could not conclusively say how the breach happened.
- Here's our take on the best endpoint protection software today
Via: Wall Street Journal
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.