Alibaba Shut Down Server after Gigantic Private Data Leak

Jul 19, 2019 | Biz, China, News

The most private data of millions of Chinese derived from loan apps have been potentially exposed to cybercriminals for half a month.

Israeli company Safety Detective uncovered a sizeable trove of personal data in a Chinese server that has been exposed for weeks. While the server in question has already been closed after CNET reached out to Alibaba, which hosted the server. However, Alibaba declined to name the owner of the exposed database, which contained millions of entries of private information that could potentially ruin lives if accessed by cybercriminals.  

899+ GB of Data Leaked

Safety Detective’s Head of Research, Anurag Sen, led the investigation of the personal data leak and the team discovered that the database contained information gathered by more than 100 loan-related apps that operated in the country. Loan apps serve millions of Chinese citizens that do not have a credit score, and have allowed people to borrow money quickly online.  Youyidai, one of the loan apps identified has been downloaded more than 1.4 million times in China.  

While China is known for having a generally questionable stance on data privacy, the scale of the current data leak is unimaginable. The database has already reached a size of 899+ gigabytes of data and had been increasing by the day prior to Alibaba’s closure of the server.

The server provider, Aliyun Computing Co., had no idea that the database has been exposed, and only rented the server to the database owner. The Elastic server contained a variety of personal files and information, including credit evaluation reports that exposed loan records and details, risk management data, real ID numbers, and private information such as full names, addresses and contact numbers.

Alibaba Cloud Closes the Server

Alibaba, the owner of the Alibaba Cloud platform, released this statement after CNET contacted the company about the data leak.

“We provide ongoing security guidelines and training to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations,” an Alibaba spokesperson stated.

“A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform.”

Data images (Bank, location and other Identifiable info) Courtesy of Safety Detectives

Personal and Financial Data at Risk

If credit evaluation reports from the mobile loan apps weren’t bad enough, Anurag’s team also discovered 4.6 million unique entries of device data, including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data (composition and content of mobile phone memory).

There are also entries for operator reports, transaction details, billing invoices (full names, phone numbers, monthly bill details, credit card details, debit card details, and call logs). MD5-hashed passwords that can be subsequently decoded have also been found.

Long-term Impact of the Leak  

Since the private data leak involved almost every aspect of the users’ personal and digital lives, including IP addresses, GPS locations, and even durations of each online session, it would be easy for hackers to overtake people’s identities if they wanted to use the information for unscrupulous activities. The abuse of government-issued IDs, as well as risk management IDs and P2P data can have a severe, negative impact on people’s careers and financial future.

Furthermore, this data, if it has been downloaded by hackers, can easily be “packaged” and resold in the Dark Web to other hackers and hacking groups involved in credit fraud and identity theft in general.

Personal phone numbers can actually be replicated by hackers, and this can be used to gain access to everything that is linked to the said personal numbers, from email addresses to phone apps, and even smart home devices and software. Private photos can also be accessed in apps, phones, and cloud-based data services, furthering the potential of the data leak to ruin lives. There is currently no consensus if cyber criminals have gained access to the exposed data.

“Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet,” security researcher Anurag Sen stated.

The Legend of Mulan: Disney’s 2020 Take

Will Disney be opening 2020 by pandering to China’s nationalistic values?

The Asian Misconception: Tibet

Is Tibet really the Shangri La? The mystical land of meditation and prayers

Asia: Love in the Age of Online Dating Apps

“Love capitalism” has dodged even the most dogged of cultural norms that stump even the locals.

Cultural Appropriation: The Sanctity of Tradition Deserves Respect

How blurred is the line between respecting a culture and insulting it?

Travel the World Visa-Free

Anyone who loves to explore different countries know that applying for a Visa is a tedious task. Here’s an in-depth look at how to travel the world visa free and the most powerful Asian passports

China: The Global Counterfeiting Capital

International brands suffer from huge losses yearly to both organized crime and Chinese manufacturers who don’t give two cents if they’re infringing on intellectual property rights.

China’s Forbidden City Opens at Night for the First Time in 94 Years

China’s Forbidden City Opens at Night for the First Time in Nearly a Century

Country Profile: All about Cambodia

Cambodia is one of the top destinations in the world today, Learn about Country’s Culture & History before you go

Christianity in China: Hostility in Every Corner

China’s treatment of Christians have rendered it the ‘new hotbed of persecution’

Did you miss the ART BASEL Hong Kong?

Did you miss the ART event of the year? See the Best highlights video here for Art Basel Hong Kong