In a post on the online hacking forum Breach Forums last week, someone using the handle 'ChinaDan' offered to sell nearly 24 terabytes of data including what they claimed was information on a billion people and "several billion case records" for 10 Bitcoin, worth about $US200,000 ($A295,000).
The data purportedly includes information from the Shanghai National Police database including names, addresses, national identification numbers and mobile phone numbers as well as case details.
A sample of data seen by The Associated Press listed names, birthdates, ages and mobile numbers.Â
One person was listed as having been born in 2020, with their age listed as one, suggesting information on minors was included in the data obtained in the breach.
The Associated Press could not immediately verify the authenticity of the data samples. Shanghai police did not immediately respond to a request for comment.
The data leak initially sparked discussion on Chinese social media platforms such as Weibo, but censors have since moved to block keyword searches for 'Shanghai data leak'.
One person said they were sceptical until they managed to verify some of the personal data leaked online by attempting to search for people on Alipay using their personal information.
Another person commented on Weibo the leak means everyone is "running naked" - slang used to refer to a lack of privacy - calling it "horrifying".
Experts said the breach, if confirmed, would be the biggest in history.
Kendra Schaefer, a partner for technology at policy research firm Trivium China, said in a tweet it is "hard to parse truth from the rumor mill, but can confirm file exists".
Such data leaks are fairly common, according to Michael Gazeley, managing director at Hong Kong-based security firm Network Box.
"There are approximately 12 billion compromised accounts posted on the Dark Web right now. That's more than the total number of people in the world," he said, adding that data leaks often come from the US.
Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, called the breach "potentially incredibly embarrassing to the Chinese government".
Most of the data is similar to what advertising companies that run banner ads would have, he said.
"When you're talking about a billion people's information and it's static information, it's not about where they travelled, who they communicated with or what they were doing, then it becomes very much less interesting," Wisniewski said.
"The information, once it's unleashed, is forever out there.
"So if someone believes their information was part of this attack, they have to assume it's forever available to anyone and they should be taking precautions to protect themselves."
In 2020, a major cyberattack believed to be by Russian hackers compromised several US federal agencies such as the State Department, the Department of Homeland Security, telecommunications firms and defence contractors.
Last year, more than 533 million Facebook users had their data published in a hacking forum after hackers scraped its data due to a vulnerability that has since been patched.