Alibaba Shut Down Server after Gigantic Private Data Leak

Jul 19, 2019 | Biz, China, News

The most private data of millions of Chinese derived from loan apps have been potentially exposed to cybercriminals for half a month.

Israeli company Safety Detective uncovered a sizeable trove of personal data in a Chinese server that has been exposed for weeks. While the server in question has already been closed after CNET reached out to Alibaba, which hosted the server. However, Alibaba declined to name the owner of the exposed database, which contained millions of entries of private information that could potentially ruin lives if accessed by cybercriminals.  

899+ GB of Data Leaked

Safety Detective’s Head of Research, Anurag Sen, led the investigation of the personal data leak and the team discovered that the database contained information gathered by more than 100 loan-related apps that operated in the country. Loan apps serve millions of Chinese citizens that do not have a credit score, and have allowed people to borrow money quickly online.  Youyidai, one of the loan apps identified has been downloaded more than 1.4 million times in China.  

While China is known for having a generally questionable stance on data privacy, the scale of the current data leak is unimaginable. The database has already reached a size of 899+ gigabytes of data and had been increasing by the day prior to Alibaba’s closure of the server.

The server provider, Aliyun Computing Co., had no idea that the database has been exposed, and only rented the server to the database owner. The Elastic server contained a variety of personal files and information, including credit evaluation reports that exposed loan records and details, risk management data, real ID numbers, and private information such as full names, addresses and contact numbers.

Alibaba Cloud Closes the Server

Alibaba, the owner of the Alibaba Cloud platform, released this statement after CNET contacted the company about the data leak.

“We provide ongoing security guidelines and training to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations,” an Alibaba spokesperson stated.

“A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform.”

Data images (Bank, location and other Identifiable info) Courtesy of Safety Detectives

Personal and Financial Data at Risk

If credit evaluation reports from the mobile loan apps weren’t bad enough, Anurag’s team also discovered 4.6 million unique entries of device data, including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data (composition and content of mobile phone memory).

There are also entries for operator reports, transaction details, billing invoices (full names, phone numbers, monthly bill details, credit card details, debit card details, and call logs). MD5-hashed passwords that can be subsequently decoded have also been found.

Long-term Impact of the Leak  

Since the private data leak involved almost every aspect of the users’ personal and digital lives, including IP addresses, GPS locations, and even durations of each online session, it would be easy for hackers to overtake people’s identities if they wanted to use the information for unscrupulous activities. The abuse of government-issued IDs, as well as risk management IDs and P2P data can have a severe, negative impact on people’s careers and financial future.

Furthermore, this data, if it has been downloaded by hackers, can easily be “packaged” and resold in the Dark Web to other hackers and hacking groups involved in credit fraud and identity theft in general.

Personal phone numbers can actually be replicated by hackers, and this can be used to gain access to everything that is linked to the said personal numbers, from email addresses to phone apps, and even smart home devices and software. Private photos can also be accessed in apps, phones, and cloud-based data services, furthering the potential of the data leak to ruin lives. There is currently no consensus if cyber criminals have gained access to the exposed data.

“Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet,” security researcher Anurag Sen stated.