(Reuters) — A hacker claims to have obtained personal information from 48.5 million users of a COVID-19 health mobile app run by the city of Shanghai, the second claim of a data breach of the Chinese financial center in just over a month.
The hacker with the username “XJP” posted an offer to sell the data for $4,000 on hacker forum Breach Forums on Wednesday.
The person provided a sample of the data including phone numbers, names and Chinese identification numbers and health code status of 47 people.
Eleven of the 47 reached by Reuters confirmed they were listed in the sample, although two said their identification numbers were incorrect. Reuters was unable to further verify the authenticity of the hacker̵7;s claim.
The true size and nature of these types of hacks are sometimes overstated by the seller in an attempt to make a quick profit.
“This DB (database) contains everyone living in or visiting Shanghai since Suishenma’s adoption,” XJP said in the post, which originally asked for $4,850 before dropping the price later that day.
Suishenma is the Chinese name for Shanghai’s health code system, which the city of 25 million people established in early 2020 to combat the spread of Covid-19. All residents and visitors must use it.
The app collects travel data to give users a red, yellow or green rating indicating the likelihood of having the virus. The code must be shown to enter public places.