This article was published on July 19, 2019

Over 100 Chinese loan apps are leaking millions of users’ financial data


Over 100 Chinese loan apps are leaking millions of users’ financial data Image by: Pixabay

In China, over 100 loan apps are leaking their users’ private data, including contact details, financial information, and even location data. The information is contained in a database spanning 889 GB; it was discovered by the lead of antivirus review site SafetyDetective’s research team, Anurag Sen.

Sen said that data leaked from over 4.6 million devices contributed to the database – and every time someone uses any of these apps, it gathers even more information. What’s more worrying is a bad actor can track someone’s live location through the database. t registers an entry of longitude and latitude every time a user logs into one of these apps.

The database is hosted on servers run by Aliyun Computing, a subsidiary of Alibaba. However, the researcher said the company’s not involved or responsible for the leak. TNW has received screenshots of entries in the database, and they appear legitimate.

Sen’s team believes a single marketing agency for mobile apps could be liable for the leak. But it’s not clear how or why said agency is leaking the data.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

These apps are also leaking other sensitive information like loan records and details, risk management data, transaction details, and personal info. Plus, there’s information about their devices including a detailed list of contacts, SMS logs, IMEI numbers, stored app data, and memory data. 

SafteyDetective’s team said that all this data can be used to steal someone’s identity:

There are more than enough details to entirely overtake someone’s identity without any significant effort whatsoever. If this data were to be sold on the Dark Web, it could easily be packaged into a ‘deal’ where an individual’s financial, medical, and personal life are up for grabs. When targeted, even a phone’s sim card can be replicated and nearly full access to all of a person’s phone apps that control smart home devices, contain private photos and details, and more is made available.

There’s no detail on who’s the owner of the database as of yet. We’ve contacted Alibaba for more details, and we’ll update the post accordingly.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with