Hacker offers to sell data of Shanghai COVID app users
(Reuters) — A hacker claims to have obtained the personal information of 48.5 million users of a COVID-19 health mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub’s data in just over a month.
The hacker with the username “XJP” posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday.
The person provided a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.
Eleven of the 47 reached by Reuters confirmed they were listed in the sample, though two said their identification numbers were wrong. Reuters was unable to further verify the authenticity of the hacker's claim.
The true size and nature of these kinds of data hacks are sometimes overstated by the seller in an attempt to make a quick profit.
"This DB (database) contains everyone who lives in or visited Shanghai since Suishenma's adoption," XJP said in the post, which originally asked for $4,850 before lowering the price later the same day.
Suishenma is the Chinese name for Shanghai's health code system, which the city of 25 million people established in early 2020 to combat the spread of COVID-19. All residents and visitors have to use it.
The app collects travel data to give users a red, yellow or green rating indicating the likelihood of having the virus. The code has to be shown to enter public venues.
