Recently, China may have experienced the largest personal data breach in history, with an unsecured database leaking over 4 billion pieces of information about Chinese users. The leaked data includes sensitive personal information such as users’ banking data, WeChat and Alipay details, and even includes personal information of Taiwanese citizens. Experts believe that data breaches and trading in China have long been commonplace.
Cybersecurity researcher Bob Dyachenko, owner of SecurityDiscovery.com, and the renowned cybersecurity research team Cybernews discovered an unsecured database with no password protection containing a massive 631GB of data, including personal information of over 4 billion Chinese individuals. They have published a preliminary report on their findings.
The report reveals that the leaked database is meticulously curated and maintained, containing data from multiple sources with records ranging from over 500,000 to more than 800 million. It primarily includes banking data, WeChat, Alipay, and other sensitive personal information of Chinese users, as well as some data of Taiwanese individuals.
On May 19, 2025, researchers glimpsed part of the database, but the owner seemed to have noticed unauthorized access and shut down the database on May 20. As a result, the research team could not confirm the identity of the database owner, the exposure time, or if there was any unauthorized access.
However, the team managed to review 16 datasets categorized by different data types, with the largest dataset “wechatid_db” containing over 8.05 billion records related to WeChat users, the second largest “address_db” containing over 7.8 billion records with geographically tagged residence data, and the third largest dataset named “bank” containing over 6.3 billion financial records, including payment card numbers, birthdates, names, and phone numbers.
Researchers suggest that malicious actors with access to these datasets could quickly deduce users’ locations, spending habits, debts, and savings statuses. Maintaining such a vast database typically requires a significant amount of time and effort, likely involving cooperation between threat actors, governments, or professional researchers.
The report mentions another major set named in simplified Chinese as “three-factor checks,” containing over 6.1 billion records, potentially involving Chinese individuals’ ID numbers, phone numbers, and usernames.
Another dataset named “wechatinfo” contains nearly 5.77 billion records primarily storing WeChat user IDs. Researchers speculate that this dataset may include user metadata or communication records, possibly even conversations between users.
Furthermore, a dataset named “zfbkt_db” includes 300 million records related to Alipay cards, tokens, and 20 million pieces of financial data associated with Alipay. Researchers warn that “attackers may use this data for unauthorized payments, account takeovers, or identity theft. While it is a smaller dataset, it could spell disaster for victims of data breaches.”
The research team also found over 3.53 billion records spread across nine other datasets, covering information such as gambling habits, vehicle registrations, employment data, pensions, and insurance. Additionally, there is a dataset named “tw_db” containing data related to Taiwan, although the report did not specify the exact contents.
The research team believes that the massive scale and diverse types of leaked data could be exploited for surveillance, analysis, or centralization of data points. This data may be misused by threat actors or nations for phishing, extortion, fraud, or even state-sponsored intelligence collection or disinformation campaigns.
The report emphasizes that only hackers, governments, or researchers usually build and maintain such large-scale databases. As the data owner remains anonymous and lacks communication channels, those affected by the leak may find it challenging to seek help.
An IT engineer based in Japan, whose pseudonym is Cheng Gong, commented that “seeing this news is not surprising because institutions or individuals related to the Chinese Communist Party have long been involved in trading information. Chinese mobile users frequently receive scam messages and calls due to the sale of personal information. This trade of personal information has grown into a massive industry.”
Cheng Gong recalled his experience working at a company in China twenty years ago, where personal information of thousands of employees, including his own, was improperly used by Chinese banks to issue credit cards. Some employees’ credit cards were activated and used without their knowledge, only discovering the situation upon receiving notification of transactions.
Although this incident may be the largest single-source personal data breach in China to date, occurring over 20 days ago, the Chinese authorities remain silent, deleting warning articles from public WeChat accounts and forums, with only a few articles surviving.
Regarding this, Cheng Gong said, “The common practice of the Chinese Communist Party is to block information, delete related content on platforms like WeChat, Baidu, and forums. If the CCP deems the situation severe or politically sensitive, they may resort to arrests. Additionally, the appearance of such incidents may be accidental leaks or intentional distractions by the CCP to divert public attention.”
The report concludes that this breach surpasses the one in February 2025 involving 1.5 billion records sourced from Weibo, various Chinese banks, the Chinese ride-hailing platform DiDi, and the Shanghai Communist Party, encompassing Chinese names, phone numbers, email addresses, usernames, healthcare data, financial, transportation, and educational records.
In addition, in late April 2024, suspected anonymous attackers leaked over 1.2 billion records also related to the daily lives of Chinese individuals.
In June 2022, a hacker named ChinaDan claimed on the Breach Forums platform to have breached Shanghai Public Security’s cloud storage servers, accessing a massive 23.88TB (1TB=1,024GB) of data, with intentions to sell it for 10 bitcoins (approximately $1.08 million).
ChinaDan claimed that the leaked database contained personal details of 1 billion Chinese individuals, including names, addresses, birthplaces, ID numbers, phone numbers, and billions of pandemic-related data.
Kind Contributions to this article were made by reporter Zhang Zhongyuan.