32 comments

[ 2.7 ms ] story [ 76.6 ms ] thread
so something that happens everyday is news worthy why? because he undersold? or is this type of data so common that it was only worth 50k USD?
this dataset contains the unique national ID, home address, cell phone number, bank card number of 130 million Chinese. you also get to know the exact time and duration of who they shared a hotel room with. it is _not_ common.
> you also get to know the exact time and duration of who they shared a hotel room with. it is _not_ common.

This is Ashley Madison territory. A goldmine for extortions.

yeah, sad you can't sell those things more than once...
(comment deleted)
For me, the shocking part is not that someone selling such private data online. The really scary thing is the fact that such a doggy company with no privacy & network security concepts whatsoever actually managed to collect private data from 130 million people in a few years.

btw, the database was not uploaded to github, some moronic programmer hard coded the url/username/password of their database into a source file and uploaded that to github. As expected, the database can easily be accessed from the internet and more than 100G of data was stolen without being noticed.

Agreed.

compared to exactis and and experian leaks though, I am wondering what makes this data valuable? (pardon my ignorance)

Edit: appears you answered in another thread.

> this dataset contains the unique national ID, home address, cell phone number, bank card number of 130 million Chinese. you also get to know who they shared a hotel room with. it is _not_ common.

Points lost for claiming VPNs are a way to access the dark web. Points gained for referring to Tor as a privacy oriented tool.
They got that it's a privacy-related thing, but they still called it a browser...
(comment deleted)
I'm always conflicted on how "correct" articles like this should be. I would prefer that they were more accurate when it comes to technology, but for the average reader (who might leave a password in git) it might be better to over simplify
> The company's developers accidentally uploaded the entire database to Github

Wait, from what I've heard, the programmer just uploaded a configuration file that contains the password of the database?

And oh boy, he's not the only one, Maybe GitHub can do something about it.

To the topic: This is the exact reason why I don't support any sort of system that log users personal information without user's control.

Because regardless how strong and secure you think your system is, all it takes is one careless action, then everything blows up.

please don't over estimate their skills and qualification. the leaked database username is root and the password is 123456.

the screenshot of the github file can be access here: https://www.secrss.com/articles/4851

and yes, that "programmer" pushed such highly sensitive company information to his personal github repo.

This happens so frequently, and is easy to scan for, sadly.

What is missing is a way to programmatically, and secretly, inform people of their mistakes. I've personally found literally hundreds of examples of this and lack the manpower to file that many tickets....

Missing? I thought they already did that. IIRC a couple of my teammates reported getting emails from github about accidentally uploading AWS credentials and the like.
What is missing is a default or recommended git hook to reject pushes that contain passwords for the patterns that are obvious.
(comment deleted)
> please don't over estimate their skills and qualification

No, I said "careless" rather than "incompetent".

Lot's of things could go wrong and cause that, I don't comment on the detail until the reason of why the password end up been pushed to GitHub is explained.

Also, I suggest Please REMOVE anything that MAY help to locate the stolen information, including content of the advertising post (Can be keyword searched).

(comment deleted)
Why do people store secrets directly in their codebase? It makes me physically ill seeing this. Environment variables exist for a reason.
123456

That's the kind of combination an idiot would have on his luggage!

Ignoring the moral/ethics concerns, how would a potential buyer know that the data is legit (if it even exists at all?).

Give me a couple of days and I'll create a fake -but real looking- set of records with millions of false customers (it would be made real enough by using public information)...

If you tell me that they'll provide an extract as "proof", I'll answer: it's easy to cook-up a realistic small sample, just using and remixing former leaks/hacks for instance...

In summary: the money aspect makes the data MUCH more suspicious than a "bragging/4tehLULz" hack.

mapping of 居民身份证 to real names..
Reputation and repeat business. You might get away with selling fake information once, i highly doubt you would get away with it twice.

I imagine its a similar scenario to how other dodgy markets work such as drugs or cryptolocker decryption keys, reputation and customer service mean a lot.

For hackers good opsec would require them to use a new persona for each separate hack. Compartimentalization. Linking separate hacks together is a really bad idea.
Perhaps if you are a buyer of this data you have similar, if smaller, databases. You could then say, here's ten thousand hashed credit card numbers from my collection. Give me the full data for ~1,000 of them. If their data lines up with yours that's a good sign.

This wouldn't be a perfect method, but if the seller could do it then it would increase my confidence a lot.

For this particular example, the buyer can simply look himself up in the dataset. LOL. This dataset is the database of the largest hotel brand of China.

I am pretty sure there are entries about me in the database (I am Chinese). It's damn embarrassing, people know me can know who I slept with if he pay 8 bitcoin now. Now I hope the price of bitcoins goes up.

Folks, please remember to PURGE GIT COMMIT HISTORY of the file. It does no good to simply remove a password if it's there in plain (historical) sight.

https://help.github.com/articles/removing-sensitive-data-fro...

And obviously rotate the exposed credentials - because even if it was only public for "a while" it could have been viewed by many users.
Plus it could've been archived by another website or a private scraping tool which looks for exactly these sorts of exposures.

Removing it from the git history is almost irrelevant and just stops future people who find it from sniffing around. The crucial part is rotating the credentials and ensuring the credentials aren't used anywhere else.

The second step should be reviewing all logs to ensure no unauthorized logins occurred before the credentials were changed (even if the exposure was only exploitable for a few seconds).

wondering if there is a service to be built selling data through cryptocurrencies...