A database of hundreds of millions of chat logs of Chinese social media users has been leaked online, revealing that private records like user photos and identity card numbers were gathered by a government-linked surveillance programme, a researcher has found.

Victor Gevers, a cybersecurity researcher with the non-profit GDI Foundation, shared his findings on Twitter on Monday. The surveillance network, he said, tracks about 364 million online profiles on a daily basis and retrieves sensitive information including their private chats, file transfers, real names, and ID numbers. The data is then distributed to police stations across the country.

Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name — Victor Gevers (@0xDUDE) March 2, 2019

“In China, they have a surveillance program on social networks which looks like a jerry-rigged PRISM clone of the NSA,” Gevers said in a tweet, referring to the US surveillance system revealed by former NSA contractor Edward Snowden in 2013.

The Chinese database in question was secured after Gevers publicly highlighted the problem, he told the Financial Times.

A request for comment from Gevers, via a Twitter direct message, did not receive an immediate response.

GDI Foundation, whose findings are widely picked up by media, says its mission is to address security issues with responsible disclosure.

A large number of records in the database contain the names and addresses of cybercafes, according to a screenshot shared by Gevers. He pointed to the use of monitoring software in those internet cafes as a potential tool for gathering user data.

The records in the database, according to Gevers, have labels referring to six Chinese messaging services including QQ and WeChat, both operated by internet giant Tencent. The Shenzhen-based company didn’t immediately respond to a request for comment.

WeChat has in the past denied concerns that the app monitors users and keeps chat logs for government surveillance, but under Chinese law all internet companies operating in the country are required to store user data locally for official inspection when deemed necessary.

Most chat logs in the database appeared to be of everyday conversations among teenagers and gamers, Gevers said.

“If sensitive information was exchanged in some of those conversations, it could have been sold to black markets, the same way how stolen credit card info from compromised databases work,” said Jane Manchun Wong, a security researcher known for her work in reverse-engineering apps.

“Except this one, it’s effortless to hackers. They could essentially just walk in, and everything seems to be in plain text and accessible without any login information,” she said.

This is not the first major leak of Chinese surveillance data discovered by GDI Foundation. Last month, Gevers reported that Chinese tech company SenseNets had stored the records of 2.6 million people in Xinjiang – a Muslim majority region under heavy police surveillance – in an unsecured database. The exposed data included their ID numbers, addresses and ethnicity.

In January, a database of 200 million resumes of Chinese jobseekers scraped from domestic websites was exposed on the internet, according to European bug bounty platform HackenProof. – South China Morning Post