Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Shanghai Police Database Leak (Alibaba Cloud, 2022)
Shanghai Police Database Leak (Alibaba Cloud, 2022)
In July 2022, a hacker posted what they claimed was the personal data of roughly one billion Chinese residents on a cybercrime forum, asking 10 bitcoin (about $200,000 at the time) for the lot. The data (about 23 terabytes) came from the Shanghai Municipal Public Security Bureau (Shanghai Police). It was stored on Alibaba Cloud and left exposed to the public internet for more than a year, reportedly because a Kibana dashboard sitting in front of an Elasticsearch database was never password-protected. Often called the "Alibaba data breach" because of where the data was hosted, it's more accurately a Shanghai Police database leak — and one of the largest known exposures of government-held personal data to date.
What happened in the Shanghai Police database leak?
Discovered in June 2022, the data came from the Shanghai Municipal Public Security Bureau and was hosted on Alibaba Cloud. The breach exploited a cloud storage vulnerability, exposing sensitive information at an unprecedented scale. While the breach is not officially linked to a larger campaign, it highlights the systemic risks associated with cloud storage platforms.
When did the leak happen?
Reports suggest that the Alibaba data breach was uncovered in June 2022. However, it is believed that attackers may have been accessing the data over an extended period prior to this discovery.
Who was behind the leak?
The identities and motivations behind the Alibaba data breach remain unknown. No individual or threat group has officially claimed responsibility for the attack, adding to the difficulty of understanding its full intent.
How did the leak happen?
The attack exploited a vulnerability in Alibaba’s cloud storage configuration, enabling unauthorized access to sensitive user data. This is suspected to involve poor access credential management and insufficient auditing of cloud storage systems.
Alibaba Data Breach Timeline
Compromise: Unauthorized access begins but goes undetected.
Discovery: The breach was identified in June 2022.
Public Disclosure: Media outlets report on the breach shortly after its discovery.
Mitigation: Alibaba initiates a review of its cloud storage security and works to address vulnerabilities.
Technical Details
Attackers likely capitalized on poorly configured cloud permissions. Using automated tools, they accessed and extracted high volumes of user data, including sensitive personal details. Details about lateral movement or specific tools used remain sparse, but the scale suggests sophisticated techniques.
Indicators of Compromise (IoCs)
Currently, no specific IoCs such as IP addresses, domains, or hashes have been disclosed publicly.
Forensic and Incident Investigation
Alibaba engaged cybersecurity experts to conduct a thorough investigation, focusing on improving cloud security controls and auditing existing systems. Further details on recovery efforts remain limited.
What data was exposed?
Exposed data records, held by the Shanghai Police, included Personally Identifiable Information (PII) such as usernames, phone numbers, and email addresses. Financial records and business transactions may also have been part of the breach. The lack of information regarding encryption increases concerns about data misuse.
How many people were affected?
Approximately one billion records were contained in the dataset.
Data Breach Guide
Data breaches are the digital smash‑and‑grab of our era—crooks slip in, swipe your sensitive data, and leave you explaining the mess to customers, regulators, and maybe even your board of directors. Our data breach guide breaks down how breaches happen, what they really cost, and, most importantly, how you can stop them from gutting your business.
Why this leak matters
This leak was one of the largest known exposures of government-held citizen data in history. The leak caused significant reputational damage to Alibaba and raised trust issues with its cloud storage services.
How Alibaba and Chinese authorities responded
Neither Alibaba nor the Shanghai Municipal Government publicly confirmed the leak in detail.
Following the discovery, Alibaba pledged to strengthen its cybersecurity infrastructure. The company worked with authorities and third-party security firms to investigate and remediate vulnerabilities, though public updates on these measures remain limited.
Lessons from the Alibaba Data Breach
Cloud Security Matters: Misconfigurations can have catastrophic effects.
Regular Audits: Businesses must routinely audit their storage and security configurations.
Incident Response Plans: Preparedness and swift action are critical during breaches.
Public Trust: Transparency in disclosing breaches is vital for maintaining user confidence.
Is Alibaba Cloud safe to use after this leak?
While Alibaba claims to have implemented stronger security measures, users remain cautious. Without transparency about lessons learned and remediation efforts, lingering doubts about the platform’s security persist.
Mitigation & prevention strategies
To avoid breaches like Alibaba’s, organizations should adopt the following preventative strategies:
Enforce Multi-Factor Authentication (MFA) for account access.
Regularly audit and patch cloud platforms.
Establish Continuous Monitoring via a SIEM tool.
Implement stringent access controls and clear data access workflows.
Related Data Breach incidents
Related educational articles & videos
FAQs
The leak occurred due to a misconfigured cloud storage vulnerability, which allowed attackers unauthorized access to user data.
Names, national ID card numbers, mobile phone numbers, addresses, birthplaces, photos, and criminal case file details for roughly one billion Chinese residents. The data belonged to the Shanghai Municipal Public Security Bureau, not to Alibaba's commercial customers.
No individual or threat group has claimed responsibility for the attack. The hackers’ identity remains unknown.
Make sure no database, admin dashboard, or storage bucket is reachable from the public internet without authentication. Businesses can enhance security by enforcing MFA, regularly auditing systems, and adopting strict data access controls.
