A cybercriminal has claimed to have gotten the personal information of 48.5 million users of a COVID-19 health code mobile app operated by the city of Shanghai.
On Thursday, the hacker identified as "XJP" announced an offer to sell the data for $4,000 on the hacker forum Breach Forums.
The hacker offered a sample of 47 individuals' information, including their phone numbers, names, Chinese identity numbers, and health code status.
Eleven of the 47 individuals contacted by Reuters acknowledged their inclusion in the sample, while two claimed their identifying numbers were incorrect.
Suishenma is the Chinese term for Shanghai's health code system, which the city of 25 million people, along with many others in China, implemented at the beginning of 2020 to battle the spread of COVID-19.
"This database covers everyone who has resided in or visited Shanghai since Suishenma's adoption," XJP wrote in the post, which initially requested $4,850 before reducing the price later in the day.
All residents and guests are required to utilize the app.
The software collects travel data to assign individuals a red, yellow, or green rating based on the possibility that they are infected with the virus, and users must provide the code to enter public spaces.
Users can use Suishenma via the Alipay app, which is owned by finance giant and Alibaba affiliate Ant Group, and the WeChat app, which is owned by Tencent Holdings.
XJP, the administration of Shanghai, Ant, and Tencent did not reply promptly to demands for comment.
The alleged Suishenma breach occurs after a hacker claimed early last month to have obtained 23 terabytes of personal data belonging to one billion Chinese individuals from the Shanghai police.
This hacker also advertised the data for sale on Breach Forums.
The Wall Street Journal, citing cyber security experts, reported that the first hacker was able to acquire police data because a dashboard for controlling a police database had been left unprotected on the public internet for more than a year.
The newspaper reported that data was hosted on Alibaba's cloud infrastructure and that Shanghai authorities had summoned business leaders in relation to the incident.
The Shanghai government, the Shanghai police, and Alibaba have not commented on the police database issue.