The most private data of millions of Chinese derived from loan apps have been potentially exposed to cybercriminals for half a month.

Israeli company Safety Detective uncovered a sizeable trove of personal data in a Chinese server that has been exposed for weeks. While the server in question has already been closed after CNET reached out to Alibaba, which hosted the server. However, Alibaba declined to name the owner of the exposed database, which contained millions of entries of private information that could potentially ruin lives if accessed by cybercriminals.

899+ GB of Data Leaked

Safety Detective’s Head of Research, Anurag Sen, led the investigation of the personal data leak and the team discovered that the database contained information gathered by more than 100 loan-related apps that operated in the country. Loan apps serve millions of Chinese citizens that do not have a credit score, and have allowed people to borrow money quickly online. Youyidai, one of the loan apps identified has been downloaded more than 1.4 million times in China.

While China is known for having a generally questionable stance on data privacy, the scale of the current data leak is unimaginable. The database has already reached a size of 899+ gigabytes of data and had been increasing by the day prior to Alibaba’s closure of the server.

The server provider, Aliyun Computing Co., had no idea that the database has been exposed, and only rented the server to the database owner. The Elastic server contained a variety of personal files and information, including credit evaluation reports that exposed loan records and details, risk management data, real ID numbers, and private information such as full names, addresses and contact numbers.

Alibaba Cloud Closes the Server

Alibaba, the owner of the Alibaba Cloud platform, released this statement after CNET contacted the company about the data leak.

“We provide ongoing security guidelines and training to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations,” an Alibaba spokesperson stated.

“A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform.”