Loan apps exposed real-time location data on millions in China

Exclusive: More than 100 apps for loans in China have been sending data to an unprotected server, exposing how much money people owe and where they are.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Blue tone city scape and network connection concept , Map pin business district

The exposed server was getting live updates from more than 100 loan-related apps, some of which were providing real-time location data.

Nochkhun / Getty Images

Millions of people in China who use loan apps to borrow money have ended up paying with their privacy. A security researcher discovered a public database left exposed online containing sensitive data on more than 4.6 million devices, including location history, debt logs, financial information and contacts.

The database had over 899 gigabytes of data coming from more than 100 loan-related apps in China, according to Anurag Sen, an independent security researcher who discovered the leak. The public database was growing, as these apps gathered data on people's activities and stored it the unsecured server in real time.

Sen said his team notified Alibaba on July 11, which hosted the server, but was unable to contact the database's owner. Looking at the type of data stored, it most likely belongs to a marketing agency for mobile apps , Sen said. 

The massive data leak contained a treasure trove of information on millions of Chinese citizens, including active updates on a person's location. The database logged a device's latitude and longitude every time its owner logged into the app. An attacker with access to this public server would essentially be able to track millions of people in real time, along with having access to a detailed list of contacts and their credit card information. 

"A bad actor can take advantage of the information like phone number and address to cause identity theft or in a serious case, can cause physical damage," Sen said in an email. "Some of the biggest risks we can think of would be government or company espionage (even more in a country like China) since we have some location logs, calls logs and texts records."

Watch this: Loads of Android apps are skirting privacy controls

Alibaba took the server offline after CNET reached out to the company. It had been up for at least two weeks -- Sen first discovered it on June 30. The database also had names, birth dates, addresses, phone numbers, debt details and passwords stored on the exposed server.

"We provide ongoing security guidelines and trainings to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations," an Alibaba spokesperson said in a statement. "A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform."
Alibaba declined to name the company that left the server unprotected.


The exposed database had data including passwords, and the phone's latitude and longitude.

Safety Detective

Sen led the research through Safety Detective, an Israeli company that reviews antivirus software. One of the 100+ apps sending data to this server was Youyidai, a loan app that has been downloaded more than 1.4 million times in China.  

People use apps like these to quickly borrow money in China, while the tech companies gather thousands of data points to approve these loans, The Wall Street Journal reported. App-based loans have spiked in China over the last four years, totaling $54.6 billion between 2015 and 2017. Some loan apps in China also give access to people's real-time location for debt collectors.

Loan apps use personal data to approve loans, a useful function given that millions of Chinese citizens don't have credit scores, but Sen's discovery raises concerns that these apps aren't properly protecting people's data.

Youyidai didn't respond to a request for comment.

Many companies store sensitive data on cloud servers, but not everyone keeps that data protected. In April, for instance, security researchers found millions of Facebook's records kept on a public server by a third-party company, with passwords available in plain text. In June, Sen discovered another database exposed with data on 1.6 million job seekers across the world. 

You might protect your personal information like your phone number, financial data and location, but if it's logged on a company's database and that database isn't properly secured, hackers can still get access to it.

Security researchers are often combing the web for exposed databases, in the hopes of finding unprotected servers before malicious hackers do. Once they find an exposed database, the researchers can warn the owners to lock up the servers so they're harder to find and access. In the case of the loan apps, this database is still exposed because Sen couldn't find the owners. 

"Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet," Sen said.

It's unclear if online criminals had accessed the data that Sen discovered. If malicious hackers got access to that information, Sen said, there would be "more than enough details to entirely overtake someone's identity without any significant effort."

All of the indoor home security cameras we've tested

See all photos