Over 300 million private messages from Chinese users on popular messaging apps were sitting exposed on the internet on Saturday, according to security researcher Victor Gevers, who works for the nonprofit organization GDI. The database of 364 million records left users’ personal identities searchable to anyone who found the IP address, as reported by the Financial Times.
Each record, drawn from apps like WeChat and QQ, also contained personally identifying Chinese citizen ID numbers, photos, addresses, GPS location data, and info on the type of device being used. Worse, the main database also sent the data back to 17 other remote servers, according to Gevers.
"“I don’t think Chinese people will appreciate it if we start digging into their conversations.”"
To Gevers, it looks like the data ultimately gets distributed to police stations in cities or provinces — the other 17 servers — identifiable by their numerical codes. To be clear, he tells The Verge, “There is no evidence that law enforcement is doing something active with this spoonfed data. But the infrastructure and well-planned data distribution are there.”
“There were chats from teenagers. Direct messages that were supposed to be private,” Gevers says, “I threw a few into Google Translate and shared those to Twitter. But we stopped there — I don’t think Chinese people will appreciate it if we start digging more into their conversations.”
Many of the records contained addresses of internet cafes, indicating that the users might be gamers who frequent these cafes. Internet cafes have often been a target of censorship in China. Some local officials have asked cafes to install software that would track what its users browse.
Gevers first found the leak when monitoring devices through Shodan, a search engine that lets you look up internet-connected devices. According to him, it looked like someone had messed
https://www.theverge.com/2019/3/4/18250474/chinese-messages-millions-wechat-qq-yy-data-breach-police