On June 5, 2025, the network security circle broke the shocking news: a database containing 4 billion user records was publicly exposed on the Internet, which can be accessed without a password. This data breach discovered by a Chinese cybersecurity research team is considered the largest personal information leak in Chinese history.
What is even more worrying is that these data are carefully organized into 16 different categories of collections, which can almost construct a complete archive of every Chinese citizen. From WeChat chat records to Alipay transaction details, from home address to gambling habits, there are no details.
01 Personal portrait in the ocean of data, your life is fully replicated
The 631GB database is like a huge treasure trove of personal information, opening its doors to hackers. The scale of this database is astonishing – equivalent to the amount of information in 50000 copies of ‘War and Peace’.
The “WeChat ID” collection in the database contains over 805 million records, most likely from China’s most popular social app WeChat. Following closely behind is the ‘Address Database’, which contains over 780 million residential data with geographical indications.
The most worrying thing is the financial information database. The collection marked as’ bank ‘has over 630 million records, including payment card numbers, dates of birth, names, and phone numbers. Add 300 million pieces of Alipay card and token information in the collection named “zfbkt_db”, and almost build a complete financial portrait.
What’s even more terrifying is that these data are suspected of being used to build a comprehensive profile of every Chinese citizen. As cybersecurity researchers have stated, “the massive scale and diversity of leaked data suggest that this could be a centralized data aggregation point used for surveillance, profiling, or data enrichment purposes.
The depth and breadth of data breaches in 02 far exceed your imagination
When these datasets are cross analyzed, the consequences are chilling:
WeChat information database: contains nearly 577 million records, which may involve user metadata, communication logs, and even conversation content.
Three factor verification library: Over 610 million records containing IDs, phone numbers, and usernames – the “holy grail” of identity verification.
Life Detail Library: Over 353 million records distributed across 9 collections, covering gambling activities, vehicle registration, employment information, pension funds, and insurance data.
The terrifying aspect of these data breaches lies in their integrity. With just three main sets, skilled attackers can associate different data points to uncover specific users’ residential locations, consumption habits, debt, and savings status.
Cybersecurity experts warn that “there are endless ways in which threat actors or countries can exploit this data. With such a large dataset, anything from large-scale phishing, extortion, fraud to state supported intelligence gathering and false advertising activities is possible.
03 Who is collecting? Why collect? The mystery behind the data
Despite the best efforts of researchers, the identity of the database owner remains a mystery. The database was quickly taken offline after being discovered, preventing further investigation.
Collecting and maintaining such databases requires a significant amount of time, resources, and professional skills, typically related to threat actors, government agencies, or highly motivated researchers.
The organizational structure of the database indicates that its purpose is not just simple data aggregation. Each dataset is carefully named and classified according to specific categories, pointing to a systematic information collection mechanism.
One of the collections named “tw_db” is identified as possibly containing Taiwan related information, suggesting that its collection scope may exceed that of Chinese Mainland. This scale of data collection targets monitoring and profiling capabilities beyond commercial purposes.
Why do companies have confidence in the “three glasses of fine” under the 04 legal framework
As early as 2021, experts pointed out that personal information has become a cheap “Tang Monk meat” that is shared by various interest groups. The maximum fine proposed in the draft of the Data Security Law at that time was only 100000 to 1 million yuan.
This is in stark contrast to the severity of penalties under the EU’s General Data Protection Regulation. The EU stipulates that Internet companies that collect personal information in violation of regulations can be fined up to 20 million euros or 4% of the global turnover.
The consequences of insufficient punishment can be seen in the enforcement actions of the Shanghai Cyberspace Administration in 2024. Multiple well-known enterprises were found to have serious problems during the inspection:
150 million personal information of members and 180000 employee ID card information stored by a certain hotpot chain enterprise are not encrypted
8000 pieces of car owner information and 1.96 million pieces of license plate information stored on a certain parking platform are in a “naked running” state
There are 7 high-risk vulnerabilities in the network security system of a real estate agency company
Although these enterprises have been summoned for rectification or have received legal education training, there still exists a situation of knowingly committing crimes and taking chances.
From enterprises to individuals, security vulnerabilities are everywhere
The hidden dangers of data leakage not only exist in the commercial field, but the major incidents of data leakage reported by national security agencies have revealed a more worrying situation:
The staff of a State Key Laboratory illegally stored more than 1000 confidential documents on personal networking computers, which were controlled by foreign spies for three months.
A staff member of a certain organization easily believed phishing messages disguised as official emails, resulting in the control of the company’s office email.
A research institution’s OA system has not been patched for a long time, and the server has been implanted with Trojan horses, causing important data to be stolen and resold.
These cases reveal the weak links in the data security chain: from individual violations to inadequate system maintenance, every vulnerability can become a channel for the leakage of state secrets.
06 Black Industry Chain, the Evil Economy Behind Data Leakage
Data breaches are not isolated incidents, behind them lies the complete black and gray industry chain. The ‘largest data theft case in history’ exposed in 2019 is shocking:
Black industry companies sign formal contracts with telecom operators, illegally intercepting user data
96 Internet companies including Baidu, Tencent and Ali
A black industry company with annual revenue exceeding 30 million yuan, even listed on the New Third Board
The 2023 attack on a technology company’s system in Xiamen further demonstrates the operation of this industry chain: hacker attacks obtain millions of personal information → data cleaning → buying and selling information (each costing 0.7-1 yuan) → used for product promotion.
These cases reveal that the black and gray industry has moved from behind the scenes to the forefront, engaging in illegal data transactions under the guise of legality.
07 Personal Protection Guide, Protecting Yourself in the Era of Data Naked Running
Faced with large-scale data breaches, ordinary users are not completely powerless. Network security experts suggest taking the following protective measures:
Enable multiple authentication: enable dual factor authentication for all important accounts (especially WeChat and Alipay)
Regularly check account activity: pay special attention to abnormal login or suspicious transactions
Beware of phishing attacks: Do not click on unknown email links, do not download unknown attachments
Using security software: Install and update reliable security protection software
Monitoring credit reports: Regularly checking for abnormal activity in credit reports
Special reminder from national security agencies: Do not use non classified devices to process sensitive information, do not easily click on email links from unknown sources, and update security protection software in a timely manner.
After the database was taken offline, researchers could no longer track the whereabouts of the data. These pieces of information may have already circulated on the underground black market or been archived by certain organizations for future use. What’s even more unsettling is that ordinary users are almost powerless to do anything about it – they can’t confirm whether they’ve been affected or hold them accountable.
Data security experts point out that this leak not only exposed technical vulnerabilities, but also systemic regulatory deficiencies. When the cost of violating regulations by enterprises is much lower than the security investment, and when the enforcement of personal information protection regulations is insufficient, the metaphor of “Tang Monk Meat” is more appropriate than ever.
In the information age, personal data protection is no longer just a technical issue, but a fundamental right that concerns the dignity and security of every individual.
Disclaimers
All of my articles are technical sharing and are intended for defense purposes. All operations were carried out in an experimental environment and should not be used for any other purposes, otherwise the consequences will be borne by myself.
