Cyber Incident Victim: Shanghai COVID health mobile app

On August 10, 2022, a hacker using the alias “XJP” posted an offer to sell personal information allegedly belonging to 48.5 million users of Shanghai’s COVID health mobile application on the Breach Forums online hacking forum. The threat actor priced the dataset at $4,000 USD. This marked the second publicly disclosed data breach claim targeting Shanghai’s systems within approximately one month, following an earlier incident involving the theft of police database records. The mobile application in question functioned as a municipal health code platform during the COVID-19 pandemic, though the forum post did not specify technical details regarding the intrusion methodology or data exfiltration process. No samples of the allegedly stolen data were publicly verified at the time of reporting.

The scale of the claimed breach represented nearly the entire population of Shanghai, which stood at approximately 26 million residents in 2022, suggesting the dataset potentially included both residents and visitors who had used the health code system. The incident drew international media attention through Reuters reporting on August 12, 2022, though municipal authorities did not immediately issue public statements regarding the breach claim. The hacker’s forum post did not specify which data elements were compromised beyond “personal information,” leaving the exact nature of exposed records unverified. This breach claim occurred against a backdrop of heightened scrutiny regarding Chinese cybersecurity practices following multiple high-profile data leaks from government-affiliated systems during 2022. The $4,000 asking price for such a large dataset indicated potential motivations beyond financial gain, possibly including ideological objectives or demonstrating systemic vulnerabilities in critical public health infrastructure.