Recently, during our routine darkweb and cybercrime monitoring, Cyble researchers came across a Threat Actor (TA) posting more than 1.3 billion records containing sensitive information about Chinese citizens on a cybercrime forum called RaidForums. The data sources include:
- Dungeon Fighter Online, an online role-playing game
- Tencent QQ, an instant messaging service owned by Tencent
- Shunfeng (SF) Express, a delivery service and logistics company
- JD.com, the second-largest e-commerce company in China
- Sina Weibo.com, a microblogging site similar to Twitter
- Car owners’ data. No source for the data indicated here
- Citizen Identity Number leak. No source for the data indicated here
Figure 1 is a screenshot of the post by the Threat Actor.
Figure 1 Post by the TA
Our research has indicated that the TA joined RaidForums in April 2021 and, so far, has contributed just two threads to the forum. The reputation is almost neutral, suggesting that the TA is new to the forum.
Further investigation:
Cyble went through all the files that were posted to verify and validate the claims made by the TA and further understand the sensitivity of the information leaked.
For Dungeon Fighter- the leaked files include, amongst other things, the email IDs and passwords of its users, and the total number of user records is 70 million.
In the case of Tencent QQ, the leaked files include the Ids and phone numbers of about 900 million users, which is almost 65% of the total population of China.
Figure 2 Screenshot of leaked data from QQ.com
The leaked files associated with SF Express comprise its users’ full addresses and their names and mobile numbers. This includes data of about 70 million users.
Figure 3 Screenshot of leaked data from SF Express
In the case of JD.com, the breaches at JD.com have been reported earlier as well. However, the previous breaches have not involved data of as many users as the recent data leak. This breach includes around 140 million user data of JD.com, along with their names, passwords (hashed), email IDs, and mobile numbers.
Figure 4 Screenshot of leaked data from JD.com
The breached data of Sina Weibo includes about 500 million user phone numbers along with their linked unique IDs.
Figure 5 Screenshot of leaked data from Weibo
The Car owners’ data leak file appears to be an amalgamation of several databases for information on car owners. This includes names, Citizen Identity Numbers, mobile numbers, email IDs, addresses, DOBs, and the reported monthly incomes of more than 760k people.
Figure 6 Screenshot of leaked data of Car Owners Info
The files associated with the Citizen Identity Numbers are also an amalgamation of databases and appear to have information captured in 2016. Even though the recorded year is 2016, the Citizen Identity number allotted to a citizen is permanent and cannot be changed. These files contain names, DOBs, mobile numbers, addresses, and Citizen Identity Numbers of about 4.8 million Chinese citizens.
Figure 7 Screenshot of leaked data of Citizen Identity Numbers
These breaches contain extremely sensitive user data that have the potential to be misused. This also opens the floodgates for cyber fraud and other criminal activities.
Cyble has been reporting these breaches to spread awareness of the risks associated with using online services and the growing threats to data security.
We recommend people to:
- Never share personal information, including financial information over the phone, email or SMSes.
- Use strong passwords and enforce multi-factor authentication where possible.
- Regularly monitor your financial transaction, and if you notice any suspicious transaction, contact your bank immediately.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- People who are concerned about their exposure in the darkweb can register at AmiBreached.com to ascertain their exposure.
About Cyble Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
