Forgot your password?
typodupeerror
China Privacy Security IT

Chinese Developer Forum Leaks 6 Million User Credentials 102

Posted by timothy
from the it's-curtains-for-you-elizabeth-my-dearbook dept.
gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."
This discussion has been archived. No new comments can be posted.

Chinese Developer Forum Leaks 6 Million User Credentials

Comments Filter:
  • The hackers got hacked?
  • What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.

    Clear text passwords - idiots.

    • Re: (Score:2, Insightful)

      by BigMattyC (969603)
      It is probably a reference to Mao's Little Red Book. http://en.wikipedia.org/wiki/Quotations_from_Chairman_Mao#Images_from_.22The_Little_Red_Book.22 [wikipedia.org]
    • Re:'dearbook'? (Score:5, Informative)

      by Anonymous Coward on Thursday December 22, 2011 @12:14PM (#38460216)

      dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

      • by 1s44c (552956)

        dearbook.com.cn is a chinese online technical book retailer owned by CSDN.

        The first answer that doesn't take the piss. Thanks.

    • by Anonymous Coward

      It's the Chinese' answer to Amazon (dearbook.com.cn). Probably devs for said site.

    • Checking it out a bit further, looks like Dearbook is the name of an online IT community or something similar. I found some relation between Dearbook and this CSDN thing so maybe it's like somebody using the password "Geeknet" for Slashdot? Something in that vein, anyway.
    • by robbo (4388)

      Could be cultural but my money is on several thousand spammer-created accounts using the same password.

      • by robbo (4388)

        Ok, I'm wrong about this- most likely the bookstore...

      • by jc42 (318812)
        Another likely cause is some software package that uses "dearbook" as the default password, or uses it in examples. People have a way of making minimal changes in things that they install, out of fear of breaking something. They also tend to copy examples literally, even the fields that are supposed to contain personal information.
    • by kramulous (977841)

      A work friend's response:
      ----------------
      From what I guess, (just for fun)

      In English,
      1."Oh Dear"=="Oh God"
      divide "Oh" on both sides=> dear==god
      thus "dearbook" =="godbook"

      In Chinese,
      "tian"=="god"
      "shu"=="book"

      "tian shu" literally means a book that only God can read. It is basically a book has nothing but blank pages. :)

  • by Anonymous Coward on Thursday December 22, 2011 @12:10PM (#38460176)

    They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.

    Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

    • by jabbany (2425264)

      Does the site offer/store anything that would be worth the effort of creating a password worth caring about?

      As a CSDN user, I'd say : No.

      Still, it doesn't prevent millions of users, who are too 'busy' to even bother use a dummy password, from actually using their main passwords (web banking, email etc.) on the AD riddled forum.

  • Before April 2009 (Score:5, Insightful)

    by tchernobog (752560) on Thursday December 22, 2011 @12:15PM (#38460228)

    passwords created before April 2009 had been stored in plain text

    UPDATE users SET password = SHA1(password) WHERE created_at

    There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.

    I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

    • UPDATE users SET password = SHA1(password) WHERE created_at <= '2009-04-01';

      I hate angular brackets in HTML.

    • Re:Before April 2009 (Score:5, Informative)

      by OverlordQ (264228) on Thursday December 22, 2011 @12:19PM (#38460286) Journal

      So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

      Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.

      • by Anonymous Coward

        This is because the old format was ALSO hashed (but not salted). You can't do the update query above unless you have the plaintext.

      • by AmiMoJo (196126)

        If it only updates after login and you don't login any more because you got fed up with wiki*...

    • by Ex Machina (10710) <{jonathan.williams} {at} {gmail.com}> on Thursday December 22, 2011 @12:22PM (#38460308) Homepage

      That's cool, but there should be salting. http://en.wikipedia.org/wiki/Salt_(cryptography) [wikipedia.org]

      • by Anonymous Coward
        Ex Machina, you culturally ignorant slut. Don't try forcing your Occidental mores on other cultures. In China they season their passwords with MSG instead of salt.
    • I live in China, the problem is not that the technicians do not know how to do this (well many are shockingly incompetent; if I described my desktop XP install, here in my office, you would blanch); the problem is that the decisions are not made by the people doing the work. The decisions about what needs to be done are made by leaders.

      The leaders do not need to hear ideas from below, if the people below had any worthy ideas then they would be leaders. They give orders and the orders are acted on; or not de

  • by Anonymous Coward

    It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

    • by _0xd0ad (1974778) on Thursday December 22, 2011 @12:44PM (#38460544) Journal

      If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.

      • by ftobin (48814) *

        What you say is true, but one benefit of doing an MD5 before it's sent is that one can't infer other passwords from a MD5 hash. A person might use passwords that follow a similar pattern that can be deduced by looking at cleartext, but not from hashes. For example, passwords a person might use could be "mypassword@slashdot", and "mypassword@sourceforge", one could probably guess their Facebook password.

        Added salt helps even further.

        The conclusion is that the authenticator should never receive the client's

        • by _0xd0ad (1974778) on Thursday December 22, 2011 @02:00PM (#38461440) Journal

          There's nothing wrong with hashing your own password so that someone can't infer "mypassword@sourceforge" from "mypassword@slashdot", but you can't trust a client-side hash function any more than you can trust the server-side authentication, unless it's your client-side hash function.

          There's no benefit in designing a login form that hashes the password before it's sent, as long as the form is using SSL. Furthermore, there's no backward-compatibility for people who have Javascript disabled. They can't log in.

          • by ftobin (48814) *

            You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide, even in the case of SSL transport, in case the receiver is compromised. In other words, it's possible that one component of the authentication process that handles the client-side-generated string (either a hash or cleartext password) is compromised, but not the authentication prompter itself. In this sort

            • by _0xd0ad (1974778)

              You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide

              From the user's perspective, the same benefits would be obtained equally well by simply not re-using passwords. From the web designer's perspective, there's no benefit to hashing on the client vs. on the server.

              even in the case of SSL transport, in case the receiver is compromised

              The hash is still the password, so if the receiver is compromised, you get the password.

              If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.

              Maybe you have confused hashing with encryption.

          • by pclminion (145572)

            How about a browser plugin that causes every password text box to automatically hash its contents before submitting the form? Something like this:

            User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is ac

            • by _0xd0ad (1974778)

              That's why I said there's nothing wrong with hashing your own passwords. However, in practice, just about every web site has its own quirky rules about what can or can't be used as a password, which makes it hard to use any single system for all of them.

            • by Arrepiadd (688829)

              If I understood what you meant; how do I log in from another computer?

              • by pclminion (145572)

                If I understood what you meant; how do I log in from another computer?

                Well, you'd need to install the plug-in on any browser you'd want to use, which I admit is a drawback. But the salt DB could easily be put out in the cloud somewhere. The hashes themselves aren't sensitive information.

            • by scdeimos (632778)

              User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.

              I guess you can say goodbye to federated authentication schemes like OpenLogin.

      • by Anonymous Coward

        there's an easy way to fix this kind of flaws: browser could send md5(password) but the db could store md5(md5(password))

    • Re: (Score:2, Informative)

      by jabbany (2425264)

      It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.

      Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.

      • by _0xd0ad (1974778)

        Do you have any idea how many that is?

        16^32 = 3.4x10^38

        If they could try 1M hashes per second, that would take over 10^25 years...

    • by jrumney (197329)

      md5 it in javascript and never bother collecting the clear text, is it the most secure ever?

      Doing it like you describe, it is effectively a cleartext password, albeit a different one than the user typed.

  • The kind of thing an idiot would have on his luggage!

  • After looking at port scans this morning, I have one thing to say: what goes around comes around. I have a hard time thinking such incompetence as would lead to so many exploited machines is possible without just a little bit of malice.

  • I'm looking at you, Mailman... http://www.list.org/ [list.org]

  • I understand where a lot of the passwords come form but what is the basis for the 18th on the list "xiazhili" What does it mean? I doesn't line up with anything I can figure out like the others

    • by Mojo66 (1131579)

      The Chines language is made of thousands of symbols and there is a translation table to map those symbols to the 26 western characters. "xiazhili" might be chinese for 'swordfish'.

    • My favorites are line 82 ("!@", with 1006 accounts using it), and line 94 (empty string, with 863 accounts).

      So in addition to storing passwords in clear text, they also have (had?) no password requirements at all.

      And I bet some of the people there are the same people hacking into our critical infrastructure. What does that say about us?

  • ... for new malware attack vector on daft news readers.
  • We've had at least 3 engineers from Chinese companies visit us that put their index finger on 1 and swipe 23456789 all in one motion for their laptop password. I had never seen that before working with the Chinese. Is swiping the keyboard for passwords only popular in China, or do idiots everywhere do that?
  • english 'iloveyou' is at #26 but the Mandarin for the same is 'wo ai ni' ... 'woaini1314' is at #83. the 1314 means "forever" ... because it sounds like forever when pronounced in Cantonese. At #93 is '5845201314' - when pronounced in mandarin - 'wo fa shi, wo ai ni, yi san yi si'. ... which sounds like - "i swear to love you forever and ever"... More here: http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Combinations [wikipedia.org]

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...