Threat Actor leaks ~1.5 Billion Records from Multiple Chinese Databases in Recent Spree

CloudSEK’s flagship digital risk monitoring platform XVigil discovered 8 posts by a threat actor, on a surface web database marketplace, advertising multiple Chinese government and private databases. The posts expose a total of ~1.5 billion Chinese records.

The Targets

The databases on sale include:

Loans and Banks	Chinese Loans and Banks Database
Ping An Insurance	Chinese conglomerate that deals with insurance, banking, and financial services
Tencent QQ	Chinese instant messaging platform. Ranked by Alexa as the world’s 5th most visited
Weibo	Chinese microblogging site and one of China’s biggest social media platforms
China’s National Car owners from mps.gov.cn	Ministry of Public Security (MPS) is China’s primary police and security authority
Business data from stats.gov.cn	Enterprise and Individual’s business data from China’s National Bureau of Statistics
Jingdong (JD.com) formerly 360buy	Fortune Global 500 Chinese e-commerce company that is Alibaba Tmall’s competitor
SF Express	China’s second largest multinational delivery and logistics company

Impacted Assets

The records in the databases contain the following fields:

Target	Relevance	Data size	Data fields
Loans and Banks	2020	80K	• Name • Loan amount • Gender • Birthplace • ID details • Address • WeChat ID • QQ ID • Phone • Education • Marital status • Dependents • Spouse details • Monthly expenditure • Monthly income
Ping An Insurance	2020	100K	• Product Name • Amount • Guarantee Period • Name • ID • Gender • Phone • Email • Province • Monthly Income • Marital • Policy Form • Insurance Responsibility • Purpose of Insurance • Payment Period
Tencent QQ	2019	720M	• QQ ID • Mobile
Weibo	2019	538M	• Weibo ID • Mobile
China’s National Car owners from mps.gov.cn	2020	760K	• Name • ID • Gender • Phone • Address • Salary • Car details
Business data from stats.gov.cn	2020	700K	• Contact info • Landline • Business name • Business address • Industry keywords
Jingdong (JD.com) formerly 360buy	2020	141M	• Username • Password • Email • Phone
SF Express	2020	67M	• Name • Phone • Address

Jd.com sample data shared the threat actor

Threat Actor

The threat actor joined the forum in April 2020 and is a popular seller on the forum. The threat actor had changed their handle in December 2020, shortly before going on the spree. The actor has a high reputation score on the forum, which means they are considered a credible seller.

Recommendations

Since the leaked details contain PII and other sensitive information that can be used to orchestrate social engineering attacks and even identity theft. The following mitigation measures can be used to offset impact of leaked PII data

Use strong passwords
Enable multi-factor authentication for all online accounts
Not share OTPs with third-parties
Review online accounts and financial statements periodically
Regularly update apps and other software