Alibaba Shut Down Server after Gigantic Private Data Leak

Jul 19, 2019 | Biz, China, News

The most private data of millions of Chinese derived from loan apps have been potentially exposed to cybercriminals for half a month.

Israeli company Safety Detective uncovered a sizeable trove of personal data in a Chinese server that has been exposed for weeks. While the server in question has already been closed after CNET reached out to Alibaba, which hosted the server. However, Alibaba declined to name the owner of the exposed database, which contained millions of entries of private information that could potentially ruin lives if accessed by cybercriminals.  

899+ GB of Data Leaked

Safety Detective’s Head of Research, Anurag Sen, led the investigation of the personal data leak and the team discovered that the database contained information gathered by more than 100 loan-related apps that operated in the country. Loan apps serve millions of Chinese citizens that do not have a credit score, and have allowed people to borrow money quickly online.  Youyidai, one of the loan apps identified has been downloaded more than 1.4 million times in China.  

While China is known for having a generally questionable stance on data privacy, the scale of the current data leak is unimaginable. The database has already reached a size of 899+ gigabytes of data and had been increasing by the day prior to Alibaba’s closure of the server.

The server provider, Aliyun Computing Co., had no idea that the database has been exposed, and only rented the server to the database owner. The Elastic server contained a variety of personal files and information, including credit evaluation reports that exposed loan records and details, risk management data, real ID numbers, and private information such as full names, addresses and contact numbers.

Alibaba Cloud Closes the Server

Alibaba, the owner of the Alibaba Cloud platform, released this statement after CNET contacted the company about the data leak.

“We provide ongoing security guidelines and training to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations,” an Alibaba spokesperson stated.

“A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform.”

Data images (Bank, location and other Identifiable info) Courtesy of Safety Detectives

Personal and Financial Data at Risk

If credit evaluation reports from the mobile loan apps weren’t bad enough, Anurag’s team also discovered 4.6 million unique entries of device data, including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data (composition and content of mobile phone memory).

There are also entries for operator reports, transaction details, billing invoices (full names, phone numbers, monthly bill details, credit card details, debit card details, and call logs). MD5-hashed passwords that can be subsequently decoded have also been found.

Long-term Impact of the Leak  

Since the private data leak involved almost every aspect of the users’ personal and digital lives, including IP addresses, GPS locations, and even durations of each online session, it would be easy for hackers to overtake people’s identities if they wanted to use the information for unscrupulous activities. The abuse of government-issued IDs, as well as risk management IDs and P2P data can have a severe, negative impact on people’s careers and financial future.

Furthermore, this data, if it has been downloaded by hackers, can easily be “packaged” and resold in the Dark Web to other hackers and hacking groups involved in credit fraud and identity theft in general.

Personal phone numbers can actually be replicated by hackers, and this can be used to gain access to everything that is linked to the said personal numbers, from email addresses to phone apps, and even smart home devices and software. Private photos can also be accessed in apps, phones, and cloud-based data services, furthering the potential of the data leak to ruin lives. There is currently no consensus if cyber criminals have gained access to the exposed data.

“Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet,” security researcher Anurag Sen stated.

‘Better Days’ Shines Light on China School Bullying Tops Box Office

A harrowing drama about school bullying has struck a strong personal chord with Chinese cinema audiences and soared to the top of the box office, after authorities belatedly gave it the go-ahead.

Taylor Swift Kick Off China ‘Singles’ Day’ Followed by $30 Billion in Sales

Chinese consumers spent a record amount on Alibaba platforms Monday during the annual “Singles’ Day” buying spree, the world’s biggest 24-hour shopping event, which kicked off this year with a glitzy show by US singer Taylor Swift.

The Truth About Asia and its Obsession with Plastic

Plastic waste has become a common sight in Asia. But why should you care?

Top LGBT-Friendly Vacation Spots in Asia

Asia is still mostly evolving when it comes to accepting the LGBT community, and it doesn’t hurt to zero in on places where the community is accepted… mostly.

Thai Cuisine Get Two Michelin Stars for the First Time in Thailand

Two restaurants in Bangkok have each earned a pair of coveted Michelin stars, the first time the leading guide has awarded the accolade to local establishments offering Thai cuisine.

The ‘Eco-Friendlier’ Firecrackers Rolls out in India

With thousands of workers painstakingly handmaking vast volumes of firecrackers, Sivakasi in southern India is usually at full tilt before Diwali. But due to efforts to curb air pollution, the pyrotechnics epicentre is fizzling out.

Nepali Climber Breaks Record for 14 Highest Peaks in Six Months

A Nepali mountaineer on Tuesday smashed the speed record for summiting the world’s 14 highest peaks, racing up all “8000ers” in just six months and six days, organisers said.

Top 3 Cities to See in Thailand

There are so many reasons why Thailand, the Land of Smiles, is pegged as a tourist paradise.

The Ultimate Surf Camps in Asia

Want to learn how to surf in Asia? These amazing surf camps will help you conquer waves.

South Korean Defense Express Regret for Jeju Massacre

More than 70 years after the Jeju Massacre, its victims were finally recognized

Country Profile: Syncretic and Dynamic Vietnam

Vietnam’s legacy to the world goes way beyond its 20th century scuffle with the US in the Vietnam War

China: Universal Studios Park will Use Facial Recognition

The Universal Studios amusement park under construction in Beijing will admit visitors without a ticket thanks to cameras that will scan their faces to determine if they’ve paid for entry.