CloudSEK’s flagship digital risk monitoring platform XVigil discovered 8 posts by a threat actor, on a surface web database marketplace, advertising multiple Chinese government and private databases. The posts expose a total of ~1.5 billion Chinese records.
The Targets
The databases on sale include:
| Loans and Banks |
Chinese Loans and Banks Database |
| Ping An Insurance |
Chinese conglomerate that deals with insurance, banking, and financial services |
| Tencent QQ |
Chinese instant messaging platform. Ranked by Alexa as the world’s 5th most visited |
| Weibo |
Chinese microblogging site and one of China’s biggest social media platforms |
| China’s National Car owners from mps.gov.cn |
Ministry of Public Security (MPS) is China’s primary police and security authority |
| Business data from stats.gov.cn |
Enterprise and Individual’s business data from China’s National Bureau of Statistics |
| Jingdong (JD.com) formerly 360buy |
Fortune Global 500 Chinese e-commerce company that is Alibaba Tmall’s competitor |
| SF Express |
China’s second largest multinational delivery and logistics company |
Impacted Assets
The records in the databases contain the following fields:
Target
|
Relevance
|
Data size
|
Data fields
|
| Loans and Banks |
2020 |
80K |
• Name
• Loan amount
• Gender
• Birthplace
• ID details
• Address
• WeChat ID
• QQ ID
• Phone
• Education
• Marital status
• Dependents
• Spouse details
• Monthly expenditure
• Monthly income |
| Ping An Insurance |
2020 |
100K |
• Product Name
• Amount
• Guarantee Period
• Name
• ID
• Gender
• Phone
• Email
• Province
• Monthly Income
• Marital
• Policy Form
• Insurance Responsibility
• Purpose of Insurance
• Payment Period |
| Tencent QQ |
2019 |
720M |
• QQ ID
• Mobile |
| Weibo |
2019 |
538M |
• Weibo ID
• Mobile |
| China’s National Car owners from mps.gov.cn |
2020 |
760K |
• Name
• ID
• Gender
• Phone
• Address
• Salary
• Car details |
| Business data from stats.gov.cn |
2020 |
700K |
• Contact info
• Landline
• Business name
• Business address
• Industry keywords |
| Jingdong (JD.com) formerly 360buy |
2020 |
141M |
• Username
• Password
• Email
• Phone |
| SF Express |
2020 |
67M |
• Name
• Phone
• Address |
[caption id="attachment_9227" align="alignnone" width="992"]
Jd.com sample data shared the threat actor[/caption]
[caption id="attachment_9228" align="alignnone" width="983"]
Car owners’ sample data shared the threat actor[/caption]
[caption id="attachment_9229" align="alignnone" width="980"]
Ping An’s sample data shared the threat actor[/caption]
Threat Actor
The threat actor joined the forum in April 2020 and is a popular seller on the forum. The threat actor had changed their handle in December 2020, shortly before going on the spree. The actor has a high reputation score on the forum, which means they are considered a credible seller.
Recommendations
Since the leaked details contain PII and other sensitive information that can be used to orchestrate social engineering attacks and even identity theft. The following mitigation measures can be used to offset impact of leaked PII data
- Use strong passwords
- Enable multi-factor authentication for all online accounts
- Not share OTPs with third-parties
- Review online accounts and financial statements periodically
- Regularly update apps and other software
