Nearly one terabyte of data has been left open by a China-based server for everyone to see that includes sensitive information of people, including their SMS and call logs.
The unprotected database was discovered by Safety Detectives’ research team led by Anurag Sen, which contained at least 889 gigabytes of data and was growing every day until it was closed. The researchers were not able to determine who owns the database, but they were able to confirm that it originated from China.
According to the researchers, the information contained in the exposed database came from more than 100 different loan-related applications. They also said that the database they discovered was a “treasure trove of data” and has contained sensitive information of millions of Chinese citizens.
The most crucial pieces of information that made the researchers conclude that the database includes data from loan-related applications is the discovery of several credit evaluation reports, which contain loan records and details, risk management data, and real ID numbers, as well as, personal information like name, phone number, and address.
In 4.6 million unique entries, the researchers were able to find other data like:
- GPS location
- A detailed list of contacts
- SMS logs
- IMSI numbers
- IMEI numbers
- Device model/version
- Stored app data
- Memory data
- Operator reports
- Transaction details
- Mobile billing invoices
- Full names
- Phone numbers
- Bill amount per month
- Call log
- Credit and debit card details
- Concentrated list of apps on each mobile device
- Detailed tracking of app behavior
- Device information
- Device location
- Launch & exit times
- Duration on the content, etc.
- Passwords with MD5 encryption, which can be decoded
Furthermore, the amount and type of data discovered by the team inside the previously exposed database led them to conclude that citizens are being tracked in detail.
“Things including a user’s IP address and duration of a given activity, call logs, SMS exchanges (including content of the SMS), and the various apps installed on the devices are all within the scope of data made available by this leak,” reads the report of Safety Detectives penned by Jim Wilson.
The researchers raised many concerns regarding the database they have uncovered. According to them, the database could be used by marketers to “hyper-target” their customers and “fine-tune” their messages to them. Worse, the data could also be used by threat actors to carry out fraud, and “it could also be easily used in either ‘friendly’ government spying or not-so-friendly espionage.”
There is enough amount of data for anyone to completely take over someone’s identity without any considerable effort. “If this data were to be sold on the Dark Web, it could easily be packaged into a ‘deal’ where an individual’s financial, medical, and personal life are up for grabs,” the researchers warn.
This is not the first time that a database originating from China was discovered to include sensitive personal and financial information of Chinese citizens. Earlier this year, Victor Gevers, a security researcher from GDI.Foundation, found a similar database that contains sensitive information of Chinese citizens that appeared to be coming from servers of the popular payment platform, Alipay.
The database includes transaction details of Alipay users, and Gevers claimed that it is being sold to third parties for a price.
Alipay denied the accusation and offered an alternative explanation on the data that was discovered. They said that they are not selling transaction details of their users. Instead, the transaction details could have been willingly uploaded by users through a loan app.
According to the investigation conducted by the company, some Alipay customers submitted their Alipay account names and passwords to a particular online lending platform. Such information was obtained by crawler companies that work with these online lending companies and was then stolen by hackers.
Back in March, Gevers said that the continuous discovery of databases, like what he discovered earlier this year and the one discovered by Safety Detectives recently, highlights the massive problem with China’s fintech industry.
He noted that most financial data leaks happen because sources trust third parties with their data. Most of the time in Fintech, experts see third parties doing machine learning and analytics to generate insight. “Knowing what the Chinese people are spending their money on based on one of the biggest financial institutions has a very high market value in and outside China,” he said.