Shanghai National Police database leak

An exposed Shanghai Public Security Bureau database left a hacker known as 'ChinaDan' offering 23 terabytes of data on roughly 1 billion Chinese residents — names, national ID numbers, phone numbers, addresses and police case records — for 10 bitcoin, in what is widely regarded as the largest government data breach in Chinese history.

In early July 2022, an anonymous user calling themselves "ChinaDan" advertised on the Breach Forums marketplace a 23-terabyte trove of personal records on roughly one billion Chinese residents, drawn from a Shanghai National Police database. The asking price was 10 bitcoin — about $200,000 at the time. If genuine in full, it ranks among the largest data breaches ever recorded and the biggest known leak of a Chinese government system.

What happened

The data is believed to have originated from the Shanghai Public Security Bureau, hosted on a private cloud. Security researchers reported that the underlying database — built on an Elasticsearch cluster fronted by a management dashboard — had been left accessible on the open internet without a password for over a year. The credentials and access path were reportedly exposed in a technical blog post, allowing anyone who found it to query and download the contents.

The seller published a sample of 750,000 records as proof. Journalists at Reuters, the BBC and the Wall Street Journal independently called individuals listed in the sample and confirmed that names, identity numbers and case details matched real people.

Impact

The leaked fields reportedly included:

Full names, national resident ID-card numbers, birthplaces and addresses
Mobile phone numbers
Police case records and complaint reports, including incident summaries naming victims and suspects

Because the data combined civil-registry information with sensitive police case files, the exposure carried unusual risk: it could enable identity theft, fraud and the targeting of crime victims, informants and dissidents.

Response

Chinese authorities never publicly acknowledged the breach. Instead, regulators moved to suppress discussion: hashtags including "#dataleak" and "#databreach" were blocked on Weibo, and related posts were deleted on WeChat. No official investigation findings, prosecutions or notifications to affected citizens were disclosed.

The incident landed at an awkward moment, just months after China's Personal Information Protection Law (PIPL) and Data Security Law took effect with promises of stronger privacy safeguards — laws that bind companies far more tightly than the state's own security organs.

Why it matters

The Shanghai leak is the defining example of state-held bulk data exposed by basic misconfiguration. A single unsecured database undid the privacy of a substantial share of the world's most populous country, demonstrating that mass surveillance archives are themselves high-value single points of failure. The official silence also highlighted a structural gap: China's privacy regime polices private firms aggressively while offering citizens little recourse when the government's own systems leak.

Timeline

January 1, 2021

Security researchers later report the Shanghai police database had been left openly accessible online for over a year before the leak.

June 30, 2022

A user known as 'ChinaDan' posts an advertisement on the Breach Forums marketplace offering the data set.

July 3, 2022

The offer of 23 terabytes covering roughly 1 billion residents for 10 bitcoin (about $200,000) is widely reported and discussed on Weibo and WeChat.

July 4, 2022

Chinese censors block hashtags such as '#dataleak' on Weibo as discussion spreads.

July 5, 2022

Reuters, the BBC and others verify samples of the data with affected individuals; experts call it one of the largest breaches ever.

July 1, 2022

Chinese authorities make no public acknowledgement; no official investigation result is disclosed.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/Shanghai_police_database_leak

reuters.comhttps://www.reuters.com/world/china/data-leak-1-billion-chinese-tests-beijings-pledge-protect-privacy-2022-07-05/

nbcnews.comhttps://www.nbcnews.com/tech/security/hacker-claims-stolen-1-bln-records-chinese-citizens-police-rcna36658

theregister.comhttps://www.theregister.com/2022/07/05/shanghai_police_database_for_sell/

rfa.orghttps://www.rfa.org/english/news/china/hacker-data-07042022105540.html/

Related incidents

Data breachResolvedJanuary 1, 2013

JD data breach (2013)

In 2013 (exact date unknown), the Chinese e-commerce service JD suffered a data breach that exposed 13GB of data containing 77 million unique email addresses. The data also included usernames, phone numbers and passwords stored as SHA-1 hashes.

Victim: JD
Records: 77.4M

Data breachResolvedDecember 26, 2022

RailYatri data breach (2022)

In December 2022, India’s government-approved online travel agency RailYatri suffered a data breach. The incident impacted over 31M customers and exposed 23M unique email addresses. Also impacted were names, genders, phone numbers and tickets purchased, including travel information and fares.

Victim: RailYatri
Records: 23.2M

Data breachResolvedJuly 21, 2022

Didi Global data security enforcement case

China's cyberspace regulator fined ride-hailing giant Didi Global RMB 8.026 billion (about $1.2 billion) after a year-long review found 16 violations of the Cybersecurity Law, Data Security Law and Personal Information Protection Law, including the illegal collection of facial-recognition, location and clipboard data from hundreds of millions of riders and drivers.

Victim: Didi Global
Loss: $1.20B

Data breachOngoingJune 11, 2026

University of Nottingham student-records breach claimed by ShinyHunters (2026)

The University of Nottingham confirmed a cyber incident after the ShinyHunters extortion group claimed to have stolen around 40 GB of data from its student-records system, exposing roughly 455,000 email addresses along with names, passport numbers, and fee-payment details.

Victim: University of Nottingham
Records: 455.0K