Chinese Developer Forum Leaks 6 Million User Credentials

← Back to Stories (view on slashdot.org)

Chinese Developer Forum Leaks 6 Million User Credentials

Posted by timothy on Thursday December 22, 2011 @03:57AM from the it's-curtains-for-you-elizabeth-my-dearbook dept.

gzipped_tar writes "The 'Chinese Software Developer Network' (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the largest networks of software developers in China. A text file with 6 million CSDN user credentials including user names, password, emails, all in clear text, got leaked to the Internet. The CSDN has issued a letter of apology to its users. In the letter, it is explained that passwords created before April 2009 had been stored in plain text, while later passwords were encrypted. Users created between September 2010 and January 2011 may still suffer from email address leaks. A summary of the most frequent passwords without the corresponding usernames is available at GitHub. Somewhat surprisingly, the cryptic sounding password 'dearbook' ranks 4th with 46053 accounts using it."

7 of 102 comments (clear)

Min score:

Reason:

Sort:

"Who cares" level of password by Anonymous Coward · 2011-12-22 04:10 · Score: 4, Insightful

They all seem to be the sort of password I'd type in for an account that I really don't care about, and am only creating because it's mandatory.
Does the site offer/store anything that would be worth the effort of creating a password worth caring about?
Re:'dearbook'? by Anonymous Coward · 2011-12-22 04:14 · Score: 5, Informative

dearbook.com.cn is a chinese online technical book retailer owned by CSDN.
Before April 2009 by tchernobog · 2011-12-22 04:15 · Score: 4, Insightful

passwords created before April 2009 had been stored in plain text
UPDATE users SET password = SHA1(password) WHERE created_at
There. Did it for you. Won't prevent everything getting stolen, but at least you don't give away any more passwords reusable on other websites.
I mean... seriously?? So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.

--
42.
1. Re:Before April 2009 by OverlordQ · 2011-12-22 04:19 · Score: 4, Informative
  
  So you have to check in your code if an account has been created before and after 04/2009, and do different actions to check their credentials upon that? Yuuuck.
  Mediawiki is (re: was) like that. When it changes password schemes it detects which version the pw is stored in, authenticates using that (older) method and then upgrades you to the new format.
  
  --
  Your hair look like poop, Bob! - Wanker.
Re:some thing to do with dearleader? by cyfer2000 · 2011-12-22 04:29 · Score: 4, Informative

it's an online book store.

--
There is a spark in every single flame bait point.
Re:How many people here on slashdot by g0bshiTe · 2011-12-22 04:40 · Score: 4, Funny

I looked for mine, 1234 wasn't on the list.

Shit! Now I have to change it. I'll just add a 5.

--
I am Bennett Haselton! I am Bennett Haselton!
Re:I've never understood clear text passwords by _0xd0ad · 2011-12-22 04:44 · Score: 4, Insightful

If the MD5 is all that gets sent, it is the password. If someone gets the MD5 hashes they can log in by hacking the Javascript to send the MD5 without ever having the original password.