Massive data spill exposes 8.7 billion Chinese records

A staggering 8.73 billion records belonging to Chinese citizens have been leaked online in one of the largest data exposures in history.

The discovery, made by researchers at Cybernews, reveals a massive treasure trove of sensitive information left unsecured on the public internet.

The leak originated from an exposed Elasticsearch cluster – a type of database used by businesses for high-speed data searching and scalability. According to Cybernews, the cluster contained 163 indices and remained publicly accessible for over three weeks starting on New Year’s Day 2026.

The sheer scale of the information is unprecedented. Researchers identified a wide range of sensitive data, including full names, mobile phone numbers, national citizen ID numbers, and home addresses. More alarmingly, the leak contained plaintext and weakly protected passwords, alongside social media identifiers and messaging account details.

The geographical focus of the data is predominantly mainland China, with metadata spanning multiple provinces and cities. While the researchers could not confirm the owner of the database, the use of “bulletproof” hosting – often associated with high-risk operations – suggests the data may have been intentionally aggregated by a data broker or a malicious actor.

The implications for the victims are severe. Cybernews warns that the exposure of national ID numbers and personal identifiers creates a systemic risk of identity theft. Malicious actors could use this data to set up fraudulent accounts or take over existing ones.

Furthermore, the presence of plaintext passwords allows cybercriminals to carry out “credential stuffing” attacks, targeting individuals who reuse the same login details across multiple platforms.

Cybernews researchers noted that even if the data is no longer accessible, it has likely already been disseminated across secondary criminal forums.

“This exposure demonstrates how large-scale personal data aggregation can persist outside regulatory oversight,” the research team explained to Cybernews. They estimated that while some data may be duplicated, the leak potentially affects hundreds of millions of individuals, representing a profound and lasting privacy risk for the region.

https://cybernews.com/security/billions-chinese-records-data-leak/