Data leak exposes 364 million Chinese social media profiles tracked by police surveillance programme, security researcher says

A database of hundreds of millions of chat logs of Chinese social media users has been leaked online, revealing that private records like user photos and identity card numbers were gathered by a government-linked surveillance program, a researcher has found.

Victor Gevers, a cybersecurity researcher with the non-profit GDI Foundation, shared his findings on Twitter on Monday. The surveillance network, he said, tracks about 364 million online profiles on a daily basis and retrieves sensitive information including their private chats, file transfers, real names, and ID numbers. The data is then distributed to police stations across the country.

“In China, they have a surveillance program on social networks which looks like a jerry-rigged PRISM clone of the NSA,” Gevers said in a tweet, referring to the US surveillance system revealed by former NSA contractor Edward Snowden in 2013.

The Chinese database in question was first exposed on the internet on March 2, but the breach was secured after Gevers publicly highlighted the problem, he said.

"These surveillance systems are dangerous when they are open and fully accessible to anyone, which increases the risk of remote data manipulation. We have seen databases get ‘ransomed’ in the past," Gevers said in a Twitter direct message.

GDI Foundation, whose findings are widely picked up by media, says its mission is to address security issues with responsible disclosure.

A large number of records in the database contain the names and addresses of cybercafes, according to a screenshot shared by Gevers. He pointed to the use of monitoring software in those internet cafes as a potential tool for gathering user data.

The records in the database, according to Gevers, have labels referring to six Chinese messaging services including QQ and WeChat, both operated by internet giant Tencent. The Shenzhen-based company didn’t immediately respond to a request for comment.

WeChat has in the past denied concerns that the app monitors users and keeps chat logs for government surveillance, but under Chinese law all internet companies operating in the country are required to store user data locally for official inspection when deemed necessary.

Most chat logs in the database appeared to be of everyday conversations among teenagers and gamers, Gevers said.

“If sensitive information was exchanged in some of those conversations, it could have been sold to black markets, the same way how stolen credit card info from compromised databases work,” said Jane Manchun Wong, a security researcher known for her work in reverse-engineering apps.

“Except this one, it’s effortless to hackers. They could essentially just walk in, and everything seems to be in plain text and accessible without any login information,” she said.

This is not the first major leak of Chinese surveillance data discovered by GDI Foundation. Last month, Gevers reported that Chinese tech company SenseNets had stored the records of 2.6 million people in Xinjiang – a Muslim majority region under heavy police surveillance – in an unsecured database. The exposed data included their ID numbers, addresses and ethnicity.

In January, a database of 200 million resumes of Chinese jobseekers scraped from domestic websites was exposed on the internet, according to European bug bounty platform HackenProof.

Last month, the National Internet Emergency Center, which falls under China’s top cyberspace watchdog, warned in a blog post that it found nearly 470 Chinese IP addresses, which were accessing the MongoDB open source document database, that were at risk of data breaches.