October 3, 2023

A data breach in Chinese database storing millions of faces and vehicle license plates resulted in exposure of data in the internet.

The database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June.


Those data belongs to a company called Xinai Electronics based in Hangzhou on China’s east coast. The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites and parking garages across China. The company is also provides cloud solution hosted on Alibaba.

The exposed database contained huge amount of information that was rapidly growing by the day and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai. Neither the database nor the hosted image files were protected by passwords and could be accessed from the web browser by anyone who knew where to look.

The database included links to photos of faces, including construction workers entering building sites and office visitors checking in and other personal information, such as the person’s name, age and sex, along with resident ID numbers, which are China’s answer to national identity cards. The database also had records of vehicle license plates collected by Xinai cameras in parking garages, driveways and other office entry points.

China has already passed the Personal Information Protection Law, equivalent of Europe’s GDPR privacy rules, which aims to limit the amount of data that companies collect but broadly exempts police and government agencies that make up China’s vast surveillance state. China’s facial recognition majorly used to track citizens with their vast population, seems to be a helping solution.


Two mass data exposures in this year, both the Chinese government and tech companies are finding themselves ill-equipped to protect the vast amount of data that their surveillance systems collect.

This unprotected database was found by researcher Anurag Sen. But he is not the only one, more threat actors found this and stolen the data, and asking for ransom in form of cryptocurrencies for data exchange. The database is currently not found in the open internet.

Leave a Reply

%d bloggers like this: