Threat Actor leaks ~1.5 Billion Records from Multiple Chinese Databases in Recent Spree

XVigil discovered 8 posts on a database marketplace advertising multiple Chinese govt. and private databases, exposing 1.5B Chinese records.
Updated on
April 19, 2023
Published on
January 8, 2021
Subscribe to the latest industry news, threats and resources.
CloudSEK’s flagship digital risk monitoring platform XVigil discovered 8 posts by a threat actor, on a surface web database marketplace, advertising multiple Chinese government and private databases. The posts expose a total of ~1.5 billion Chinese records.  

The Targets

The databases on sale include:
Loans and Banks Chinese Loans and Banks Database
Ping An Insurance Chinese conglomerate that deals with insurance, banking, and financial services
Tencent QQ Chinese instant messaging platform. Ranked by Alexa as the world’s 5th most visited
Weibo Chinese microblogging site and one of China’s biggest social media platforms
China’s National Car owners from Ministry of Public Security (MPS) is China’s primary police and security authority 
Business data from Enterprise and Individual’s business data from China’s National Bureau of Statistics 
Jingdong ( formerly 360buy Fortune Global 500 Chinese e-commerce company that is Alibaba Tmall’s competitor
SF Express China’s second largest multinational delivery and logistics company

Impacted Assets

The records in the databases contain the following fields:
Data size
Data fields
Loans and Banks 2020 80K • Name  • Loan amount • Gender • Birthplace • ID details • Address • WeChat ID • QQ ID • Phone • Education • Marital status • Dependents • Spouse details • Monthly expenditure • Monthly income 
Ping An Insurance 2020 100K • Product Name • Amount • Guarantee Period  • Name  • ID  • Gender • Phone • Email • Province • Monthly Income • Marital • Policy Form • Insurance Responsibility • Purpose of Insurance • Payment Period
Tencent QQ 2019 720M • QQ ID • Mobile 
Weibo 2019 538M • Weibo ID • Mobile
China’s National Car owners from 2020 760K • Name  • ID  • Gender • Phone • Address • Salary • Car details
Business data from 2020 700K • Contact info • Landline • Business name • Business address • Industry keywords
Jingdong ( formerly 360buy 2020 141M • Username • Password • Email • Phone
SF Express 2020 67M • Name • Phone • Address
  [caption id="attachment_9227" align="alignnone" width="992"] sample data shared the threat actor sample data shared the threat actor[/caption]   [caption id="attachment_9228" align="alignnone" width="983"]Car owners’ sample data shared the threat actor Car owners’ sample data shared the threat actor[/caption]   [caption id="attachment_9229" align="alignnone" width="980"]Ping An’s sample data shared the threat actor Ping An’s sample data shared the threat actor[/caption]  

Threat Actor

The threat actor joined the forum in April 2020 and is a popular seller on the forum. The threat actor had changed their handle in December 2020, shortly before going on the spree. The actor has a high reputation score on the forum, which means they are considered a credible seller.   


Since the leaked details contain PII and other sensitive information that can be used to orchestrate social engineering attacks and even identity theft. The following mitigation measures can be used to offset impact of leaked PII data
  • Use strong passwords
  • Enable multi-factor authentication for all online accounts
  • Not share OTPs with third-parties
  • Review online accounts and financial statements periodically
  • Regularly update apps and other software

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations