Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Karen Hao Profile picture
Karen Hao
@_KarenHao
NYT bestselling author of EMPIRE OF AI: https://t.co/wh5mCWc2mo. ai reporter. american national magazine award winner. in @MorePerfectUS @theatlantic @wsj @techreview

Jul 6, 2022, 11 tweets

The Shanghai police data heist grows more insane: Experts say the database of nearly 1b Chinese citizens was not hacked—it simply had no password, allowing the thief to waltz in, wipe the data & leave a ransom note: "contact_for_your_data…recovery10btc." wsj.com/articles/china…

I spoke to two cybersecurity experts @vinnytroia & @MayhemDayOne who both run cybersecurity services that regularly scan the web for unsecured databases. They each discovered this database at different points earlier this year but didn't immediately realize what it was.

After the recent news about the leak, they went back through their notes and found an exact match to the description of the database that a user on a cybercrime forum is now selling—for the same price tag as the ransom amount: 10BTC.

Their notes show that while the database itself was protected on a private server, a dashboard for managing and accessing the data was set up on a public web address and left open without a password.

It effectively created an open door to the data vault, allowing anyone who stumbled upon it to export and edit the data unencumbered.

That door stayed open for over a year, from April 2021 all the way until mid June 2022, when a thief used it to wipe all the data for a ransom.

And even then—after the data went *missing*—the door continued to stay open for another ~2 weeks, until the vulnerability started getting widespread attention.

Troia says it's likely the same entity that took the data and is now peddling it. “What’s pretty common is if the ransom victim doesn’t pay the ransom, then they’ll try to sell the data off online,” he says.

These kinds of vulnerabilities are extremely common—but both Troia & Diachenko say this one is particularly unique for the sheer amount of data left unsecured. Troia called it "insane." Diachenko said he's never encountered anything larger than this one.

These new details put to rest another rumor that was gaining traction that the vulnerability could have been caused by a 2020 technical blog post that appeared to have inadvertently published the credentials to a Shanghai police server.

Troia & Diachenko point out that there were no credentials necessary to access this data, making the speculation unlikely.

If you missed it, you can read our first story here. wsj.com/articles/vast-…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling