Chinese Developer Forum Leaks 6 Million User Credentials

← Back to Stories (view on slashdot.org)

Chinese Developer Forum Leaks 6 Million User Credentials

Posted by timothy on Thursday December 22, 2011 @03:57AM from the it's-curtains-for-you-elizabeth-my-dearbook dept.

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

56 of 102 comments (clear)

Min score:

Reason:

Sort:

'dearbook'? by 1s44c · 2011-12-22 04:03 · Score: 1

What does 'dearbook' mean something to the chinese? It sounds like nonsense to a native English speaker.
Clear text passwords - idiots.
1. Re:'dearbook'? by BigMattyC · 2011-12-22 04:13 · Score: 2, Insightful
  
  It is probably a reference to Mao's Little Red Book. http://en.wikipedia.org/wiki/Quotations_from_Chairman_Mao#Images_from_.22The_Little_Red_Book.22
2. Re:'dearbook'? by Anonymous Coward · 2011-12-22 04:14 · Score: 5, Informative
  
  dearbook.com.cn is a chinese online technical book retailer owned by CSDN.
3. Re:'dearbook'? by Anonymous Coward · 2011-12-22 04:15 · Score: 1
  
  It's the Chinese' answer to Amazon (dearbook.com.cn). Probably devs for said site.
4. Re:'dearbook'? by TheModelEskimo · 2011-12-22 04:23 · Score: 2
  
  Checking it out a bit further, looks like Dearbook is the name of an online IT community or something similar. I found some relation between Dearbook and this CSDN thing so maybe it's like somebody using the password "Geeknet" for Slashdot? Something in that vein, anyway.
5. Re:'dearbook'? by somersault · 2011-12-22 04:34 · Score: 1
  
  All 47000?
  Do excuse me for this. Ahem. "lol".
  
  --
  which is totally what she said
6. Re:'dearbook'? by robbo · 2011-12-22 04:37 · Score: 2
  
  Could be cultural but my money is on several thousand spammer-created accounts using the same password.
  
  --
  So long, and thanks for all the Phish
7. Re:'dearbook'? by Baloroth · 2011-12-22 04:37 · Score: 2
  
  Wait, how do you know my password?! You hacker!!
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
8. Re:'dearbook'? by robbo · 2011-12-22 04:42 · Score: 1
  
  Ok, I'm wrong about this- most likely the bookstore...
  
  --
  So long, and thanks for all the Phish
9. Re:'dearbook'? by jc42 · 2011-12-22 04:57 · Score: 2
  
  Another likely cause is some software package that uses "dearbook" as the default password, or uses it in examples. People have a way of making minimal changes in things that they install, out of fear of breaking something. They also tend to copy examples literally, even the fields that are supposed to contain personal information.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
10. Re:'dearbook'? by kramulous · 2011-12-22 23:05 · Score: 1
  
  A work friend's response:
  ----------------
  From what I guess, (just for fun)
  In English,
  1."Oh Dear"=="Oh God"
  divide "Oh" on both sides=> dear==god
  thus "dearbook" =="godbook"
  In Chinese,
  "tian"=="god"
  "shu"=="book"
  "tian shu" literally means a book that only God can read. It is basically a book has nothing but blank pages. :)
  
  --
  .
"Who cares" level of password by Anonymous Coward · 2011-12-22 04:10 · Score: 4, Insightful

They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.
Does the site offer/store anything that would be worth the effort of creating a password worth caring about?
1. Re:"Who cares" level of password by jabbany · 2011-12-22 04:51 · Score: 2
  
  Does the site offer/store anything that would be worth the effort of creating a password worth caring about?
  As a CSDN user, I'd say : No.
  Still, it doesn't prevent millions of users, who are too 'busy' to even bother use a dummy password, from actually using their main passwords (web banking, email etc.) on the AD riddled forum.
Before April 2009 by tchernobog · 2011-12-22 04:15 · Score: 4, Insightful

passwords created before April 2009 had been stored in plain text
UPDATE users SET password = SHA1(password) WHERE created_at
There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.
I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

--
42.
1. Re: before April 2009 by tchernobog · 2011-12-22 04:17 · Score: 2
  
  UPDATE users SET password = SHA1(password) WHERE created_at <= '2009-04-01';
  I hate angular brackets in HTML.
  
  --
  42.
2. Re:Before April 2009 by OverlordQ · 2011-12-22 04:19 · Score: 4, Informative
  
  So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.
  Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.
  
  --
  Your hair look like poop, Bob! - Wanker.
3. Re:Before April 2009 by Ex+Machina · 2011-12-22 04:22 · Score: 3, Insightful
  
  That's cool, but there should be salting. http://en.wikipedia.org/wiki/Salt_(cryptography)
4. Re:Before April 2009 by Anonymous Coward · 2011-12-22 04:32 · Score: 1
  
  This is because the old format was ALSO hashed (but not salted). You can't do the update query above unless you have the plaintext.
5. Re:Before April 2009 by AmiMoJo · 2011-12-22 05:38 · Score: 1
  
  If it only updates after login and you don't login any more because you got fed up with wiki*...
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:Before April 2009 by Anonymous Coward · 2011-12-22 05:39 · Score: 1
  
  Ex Machina, you culturally ignorant slut. Don't try forcing your Occidental mores on other cultures. In China they season their passwords with MSG instead of salt.
7. Re:Before April 2009 by RobertinXinyang · 2011-12-22 12:41 · Score: 1
  
  I live in China, the problem is not that the technicians do not know how to do this (well many are shockingly incompetent; if I described my desktop XP install, here in my office, you would blanch); the problem is that the decisions are not made by the people doing the work. The decisions about what needs to be done are made by leaders.
  The leaders do not need to hear ideas from below, if the people below had any worthy ideas then they would be leaders. They give orders and the orders are acted on; or not depending on if the capacity to follow the order is present. What they do not do is listen. As such, they do not allow actions that the "workers" see as needed. Further, if an order is given and the capacity is not present, the work just doesn't get done. Then, at the next meeting they demand that it get done in a more forceful manner; but, they still do not listen to why it wasn't done.
  The typical result is that what needs to be done is eventually accomplished; but, in an outlandishly inefficient manner because the workers are using makeshift tool and methods.
  Back to the problem, I suspect that many see the problem; however, until a "leader" sees the problem then no orders will be given and nothing will be done.
I've never understood clear text passwords by Anonymous Coward · 2011-12-22 04:15 · Score: 2, Insightful

It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.
1. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 04:44 · Score: 4, Insightful
  
  If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.
2. Re:I've never understood clear text passwords by jabbany · 2011-12-22 04:46 · Score: 2, Informative
  
  It's sooooo easy to md5 a password before doing anything with it. md5 it in javascript and never bother collecting the clear text, is it the most secure ever? probably not. Is it a billion times better than cleartext and unbelievably easy? Yes.
  Actually, doing MD5 on a client side script is severe no-no if it were the only form of authentication. A hacker could simply run a script running through all 16^32 possiblities of the MD5 hash instead of the almost infinite possiblities of the original password. Doing a client side MD5 actually weakens many passwords instead of strenthening them. You're left with something around an 18 character alpha-numeric-symbol password - no matter how long or difficult your original password was.
3. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 05:13 · Score: 2
  
  Do you have any idea how many that is?
  16^32 = 3.4x10^38
  If they could try 1M hashes per second, that would take over 10^25 years...
4. Re:I've never understood clear text passwords by ftobin · 2011-12-22 05:25 · Score: 1
  
  What you say is true, but one benefit of doing an MD5 before it's sent is that one can't infer other passwords from a MD5 hash. A person might use passwords that follow a similar pattern that can be deduced by looking at cleartext, but not from hashes. For example, passwords a person might use could be "mypassword@slashdot", and "mypassword@sourceforge", one could probably guess their Facebook password.
  Added salt helps even further.
  The conclusion is that the authenticator should never receive the client's plaintext password in any form; it should always be one-way transformed before it leaves the client.
5. Re:I've never understood clear text passwords by Anonymous Coward · 2011-12-22 05:54 · Score: 1
  
  there's an easy way to fix this kind of flaws: browser could send md5(password) but the db could store md5(md5(password))
6. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 06:00 · Score: 3, Insightful
  
  There's nothing wrong with hashing your own password so that someone can't infer "mypassword@sourceforge" from "mypassword@slashdot", but you can't trust a client-side hash function any more than you can trust the server-side authentication, unless it's your client-side hash function.
  There's no benefit in designing a login form that hashes the password before it's sent, as long as the form is using SSL. Furthermore, there's no backward-compatibility for people who have Javascript disabled. They can't log in.
7. Re:I've never understood clear text passwords by ftobin · 2011-12-22 07:18 · Score: 1
  
  You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide, even in the case of SSL transport, in case the receiver is compromised. In other words, it's possible that one component of the authentication process that handles the client-side-generated string (either a hash or cleartext password) is compromised, but not the authentication prompter itself. In this sort of case, there are clear benefits to client-side hashing.
  I should note that I'm not limiting my discussion to webpage-style authentication. If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.
8. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 07:46 · Score: 1
  
  You don't have to trust the client-side hashing function, as ordinarily you're not expecting it to be implemented on top of ordinary security. It's simply a bonus level of security a site can provide
  From the user's perspective, the same benefits would be obtained equally well by simply not re-using passwords. From the web designer's perspective, there's no benefit to hashing on the client vs. on the server.
  
  even in the case of SSL transport, in case the receiver is compromised
  The hash is still the password, so if the receiver is compromised, you get the password.
  
  If the protocol enforces hashing on the client-side before sending, you don't have to worry about trusting the client-side or javascript being disabled.
  Maybe you have confused hashing with encryption.
9. Re:I've never understood clear text passwords by pclminion · 2011-12-22 08:23 · Score: 1
  
  How about a browser plugin that causes every password text box to automatically hash its contents before submitting the form? Something like this:
  User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.
  Now you've forced your password to be salted and hashed regardless of what the web site is doing with it. Even if they store it in plain text, no matter.
10. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 08:50 · Score: 1
  
  That's why I said there's nothing wrong with hashing your own passwords. However, in practice, just about every web site has its own quirky rules about what can or can't be used as a password, which makes it hard to use any single system for all of them.
11. Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 09:50 · Score: 1
  
  No. Perhaps I should try to explain it again, very carefully. See if you can follow this.
  If it's hashed on the client side, either it is or it isn't also hashed on the server side. Consider these scenarios separately:
  First, assuming it's only hashed once, on the client side. That hash is transmitted and stored on the server. If someone dumps the database and gets those hashes, they don't need the original password: hack the client-side to just send the correct hash without needing the original password to create that hash.
  The other scenario, where it's hashed at both the client and the server, implies that you don't trust the website to transmit your un-hashed password - in which case, you shouldn't trust it to have your un-hashed password in the first place. Hash your password first, then use that as a password for that site.
  In neither case does automatically hashing the password on the client-side accomplish anything useful. The first is woefully insecure and the second is no more secure than sending the password itself. If you're using SSL, it should be fine.
12. Re:I've never understood clear text passwords by Arrepiadd · 2011-12-22 10:28 · Score: 1
  
  If I understood what you meant; how do I log in from another computer?
13. Re:I've never understood clear text passwords by scdeimos · 2011-12-22 11:53 · Score: 1
  
  User enters password in password field. Browser consults a salt database, keyed by hostname. If entry for this host is not found, adds one, and generates a random salt. Otherwise, uses previously generated salt. The browser then concatenates the password in the input field with the salt. Hashes the result. Represents in base64. The result of all this is what is actually submitted to the form.
  I guess you can say goodbye to federated authentication schemes like OpenLogin.
14. Re:I've never understood clear text passwords by jrumney · 2011-12-22 13:18 · Score: 1
  
  md5 it in javascript and never bother collecting the clear text, is it the most secure ever?
  Doing it like you describe, it is effectively a cleartext password, albeit a different one than the user typed.
Re:some thing to do with dearleader? by Anonymous Coward · 2011-12-22 04:16 · Score: 1

Do you really think that is true? Especially in the technical world? That US people have no idea that there are other cultures in the world? Pfftt ... BTW ... do YOU know what a dearbook is? Show me YOUR lack of ignorance! And do it without searching the Internet :)
I find it "surprising" that people continue to stereotype all US people as ignorant of other cultures.
Re:some thing to do with dearleader? by somersault · 2011-12-22 04:28 · Score: 1

Especially in the technical world, yes. I was reading an interview with Linus where he says that most people use English when talking about technical matters even if they both have the same first language.

--
which is totally what she said
Re:some thing to do with dearleader? by cyfer2000 · 2011-12-22 04:29 · Score: 4, Informative

it's an online book store.

--
There is a spark in every single flame bait point.
What... by CAIMLAS · 2011-12-22 04:33 · Score: 1

After looking at port scans this morning, I have one thing to say: what goes around comes around. I have a hard time thinking such incompetence as would lead to so many exploited machines is possible without just a little bit of malice.

--
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Re:some thing to do with dearleader? by Baloroth · 2011-12-22 04:36 · Score: 2, Insightful

But that doesn't mean people are ignorant of cultures. English is simply a good language for technical matters, for a large number of reasons. Being the de facto standard is only the most obvious.
Also, I should point out the British invented English, not the US, and they spread it around the world, so I'm really not sure what your point here is. Point of fact, the US probably has more variety of culture than any other nation in the world.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Re:How many people here on slashdot by g0bshiTe · 2011-12-22 04:40 · Score: 4, Funny

I looked for mine, 1234 wasn't on the list.

Shit! Now I have to change it. I'll just add a 5.

--
I am Bennett Haselton! I am Bennett Haselton!
Storing cleartext passwords is asking for trouble. by mortonda · 2011-12-22 04:43 · Score: 1

I'm looking at you, Mailman... http://www.list.org/
Re:some thing to do with dearleader? by somersault · 2011-12-22 04:48 · Score: 1

It doesn't necessarily, but it does mean that many people can speak to others online assuming they're American just because they speak English. People assume I'm American all the time..

--
which is totally what she said
18th password? by Sollord · 2011-12-22 04:56 · Score: 2

I understand where a lot of the passwords come form but what is the basis for the 18th on the list "xiazhili" What does it mean? I doesn't line up with anything I can figure out like the others
1. Re:18th password? by Mojo66 · 2011-12-22 05:41 · Score: 1
  
  The Chines language is made of thousands of symbols and there is a translation table to map those symbols to the 26 western characters. "xiazhili" might be chinese for 'swordfish'.
2. Re:18th password? by amicusNYCL · 2011-12-22 06:33 · Score: 1
  
  My favorites are line 82 ("!@", with 1006 accounts using it), and line 94 (empty string, with 863 accounts).
  So in addition to storing passwords in clear text, they also have (had?) no password requirements at all.
  And I bet some of the people there are the same people hacking into our critical infrastructure. What does that say about us?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:18th password? by LokiMorgan · 2011-12-22 07:49 · Score: 1
  
  poor password and iloveyou, knocked down to the top 30!
Re:some thing to do with dearleader? by sqldr · 2011-12-22 05:10 · Score: 1

Sort of. It and "Lowland Scots" evolved alongside eachother with the same root. They diverged over a couple of centuries, but they are still very similar, and it's quite comprehensible to a native English speaker.

--
I wrote my first program at the age of six, and I still can't work out how this website works.
... for new malware attack vector by Transdimentia · 2011-12-22 05:52 · Score: 1

... for new malware attack vector on daft news readers.
password swiping by fdor · 2011-12-22 06:18 · Score: 1

We've had at least 3 engineers from Chinese companies visit us that put their index finger on 1 and swipe 23456789 all in one motion for their laptop password. I had never seen that before working with the Chinese. Is swiping the keyboard for passwords only popular in China, or do idiots everywhere do that?
Re:fraction by ElementOfDestruction · 2011-12-22 08:07 · Score: 1

Thank god. Here I was thinking it was 000.6% or - even worse - 00.6%!
Chinese number combos by damian2k · 2011-12-22 14:07 · Score: 1

english 'iloveyou' is at #26 but the Mandarin for the same is 'wo ai ni' ... 'woaini1314' is at #83. the 1314 means "forever" ... because it sounds like forever when pronounced in Cantonese. At #93 is '5845201314' - when pronounced in mandarin - 'wo fa shi, wo ai ni, yi san yi si'. ... which sounds like - "i swear to love you forever and ever"... More here: http://en.wikipedia.org/wiki/Numbers_in_Chinese_culture#Combinations
Re:some thing to do with dearleader? by pntkl · 2011-12-22 14:27 · Score: 1

That string comes up all over the place. Seems pretty difficult to figure out, in just a moment. This is my favorite result: http://www.metacafe.com/watch/4130367/1qaz2wsx/ :P
Re:some thing to do with dearleader? by _0xd0ad · 2011-12-22 15:01 · Score: 2

1 2 3 4 5 6 7 8 9 0 q w e r t y u i o p a s d f g h j k l ; z x c v b n m , .
Re:How many people here on slashdot by kbg · 2011-12-22 21:38 · Score: 2

That's amazing. I've got the same combination on my luggage