The exposed information included highly sensitive details such as national identification numbers, residential addresses, email accounts, and social media identifiers - data that significantly increases the risk of identity theft, fraud, and account compromise.
According to Cybernews, the information was stored within a vast Elasticsearch database. This type of system is commonly used by organizations to manage and search extremely large datasets quickly. The uncovered cluster contained 163 separate indices, together holding billions of individual records.
Researchers discovered the database in the first days of 2026 and found that it remained publicly accessible for more than three weeks. Although there is no direct evidence that criminals exploited the data during that time, the researchers warned that its visibility alone makes unauthorized access highly likely.
Despite the relatively brief exposure period, the sheer scale of the dataset raises serious concerns. Cybernews researchers noted that automated tools could have been used to copy large portions of the information while it was accessible, potentially allowing the data to spread beyond the original server.
The discovery was made by cybersecurity researcher Bob Diachenko, a Cybernews contributor and founder of SecurityDiscovery.com. Analysis of metadata within the cluster showed that new information had been added as recently as late 2025, suggesting the database was actively maintained rather than being a one-time dump from an old breach.
Researchers believe the dataset reflects a long-term effort to collect and consolidate personal information across multiple sources, rather than the result of a single security failure. The leaked records varied widely across the database. Some indices contained detailed personal profiles, while others focused on digital accounts, authentication data, or business information. Much of the exposed data fell into four broad categories: personally identifiable information, online account data, login credentials, and corporate records.
Personally identifiable information included full names, phone numbers, national ID numbers, home addresses, birth details, and demographic attributes. Account-related data covered email addresses, usernames, and social media or messaging platform identifiers. In several datasets, passwords appeared in plaintext or were only weakly protected. Business-related records included company registration data, legal representatives, and licensing information.
Geographically, the majority of records appeared to relate to individuals and entities in mainland China, with location data spanning numerous provinces and cities.
The database was highly structured, with separate indices organized by data type, such as phone numbers, identity documents, or account credentials. However, the system contained no identifying banners, ownership labels, or organizational markers, making it impossible to determine who controlled the data. No public entity has claimed responsibility for the database.
Cybernews researchers noted that the infrastructure was hosted with a provider often associated with high-risk or loosely regulated operations. Combined with the size and organization of the dataset, this led the team to believe the data was intentionally aggregated rather than accidentally exposed by a single consumer service.
Some of the data types closely resemble the information collected by commercial data brokers. Other elements suggest the dataset could be used for large-scale financial fraud or identity-based crimes.
While duplicate records appeared across different indices, the total volume still suggests that the personal information of hundreds of millions of individuals may have been affected.
Although the database has since been taken offline, its weeks-long exposure may already have caused lasting damage.
This is not the first major data exposure involving Chinese information. In recent years, Cybernews has identified multiple record-breaking leaks, including a 4-billion-record exposure in 2025 and a compilation breach in 2024 involving over 1.2 billion records. One of the most severe incidents occurred in 2022, when a 23-terabyte dataset allegedly linked to the Shanghai police was circulated online, reportedly affecting information tied to around one billion people.
Newer Articles
- How to Throw an Instagram-Worthy Party without Breaking the Bank
- How Specialized Education Opens Doors to Behavior-Based Careers
- GeForce NOW Expands to Amazon Fire TV, Adds New Games for Anniversary Celebration