this dataset contains the unique national ID, home address, cell phone number, bank card number of 130 million Chinese. you also get to know the exact time and duration of who they shared a hotel room with. it is _not_ common.
For me, the shocking part is not that someone selling such private data online. The really scary thing is the fact that such a doggy company with no privacy & network security concepts whatsoever actually managed to collect private data from 130 million people in a few years.
btw, the database was not uploaded to github, some moronic programmer hard coded the url/username/password of their database into a source file and uploaded that to github. As expected, the database can easily be accessed from the internet and more than 100G of data was stolen without being noticed.
compared to exactis and and experian leaks though, I am wondering what makes this data valuable? (pardon my ignorance)
Edit: appears you answered in another thread.
> this dataset contains the unique national ID, home address, cell phone number, bank card number of 130 million Chinese. you also get to know who they shared a hotel room with. it is _not_ common.
I'm always conflicted on how "correct" articles like this should be. I would prefer that they were more accurate when it comes to technology, but for the average reader (who might leave a password in git) it might be better to over simplify
This happens so frequently, and is easy to scan for, sadly.
What is missing is a way to programmatically, and secretly, inform people of their mistakes. I've personally found literally hundreds of examples of this and lack the manpower to file that many tickets....
Missing? I thought they already did that. IIRC a couple of my teammates reported getting emails from github about accidentally uploading AWS credentials and the like.
> please don't over estimate their skills and qualification
No, I said "careless" rather than "incompetent".
Lot's of things could go wrong and cause that, I don't comment on the detail until the reason of why the password end up been pushed to GitHub is explained.
Also, I suggest Please REMOVE anything that MAY help to locate the stolen information, including content of the advertising post (Can be keyword searched).
Ignoring the moral/ethics concerns, how would a potential buyer know that the data is legit (if it even exists at all?).
Give me a couple of days and I'll create a fake -but real looking- set of records with millions of false customers (it would be made real enough by using public information)...
If you tell me that they'll provide an extract as "proof", I'll answer: it's easy to cook-up a realistic small sample, just using and remixing former leaks/hacks for instance...
In summary: the money aspect makes the data MUCH more suspicious than a "bragging/4tehLULz" hack.
Reputation and repeat business. You might get away with selling fake information once, i highly doubt you would get away with it twice.
I imagine its a similar scenario to how other dodgy markets work such as drugs or cryptolocker decryption keys, reputation and customer service mean a lot.
For hackers good opsec would require them to use a new persona for each separate hack. Compartimentalization. Linking separate hacks together is a really bad idea.
Perhaps if you are a buyer of this data you have similar, if smaller, databases. You could then say, here's ten thousand hashed credit card numbers from my collection. Give me the full data for ~1,000 of them. If their data lines up with yours that's a good sign.
This wouldn't be a perfect method, but if the seller could do it then it would increase my confidence a lot.
For this particular example, the buyer can simply look himself up in the dataset. LOL. This dataset is the database of the largest hotel brand of China.
I am pretty sure there are entries about me in the database (I am Chinese). It's damn embarrassing, people know me can know who I slept with if he pay 8 bitcoin now. Now I hope the price of bitcoins goes up.
Plus it could've been archived by another website or a private scraping tool which looks for exactly these sorts of exposures.
Removing it from the git history is almost irrelevant and just stops future people who find it from sniffing around. The crucial part is rotating the credentials and ensuring the credentials aren't used anywhere else.
The second step should be reviewing all logs to ensure no unauthorized logins occurred before the credentials were changed (even if the exposure was only exploitable for a few seconds).
32 comments
[ 2.7 ms ] story [ 76.6 ms ] threadThis is Ashley Madison territory. A goldmine for extortions.
btw, the database was not uploaded to github, some moronic programmer hard coded the url/username/password of their database into a source file and uploaded that to github. As expected, the database can easily be accessed from the internet and more than 100G of data was stolen without being noticed.
compared to exactis and and experian leaks though, I am wondering what makes this data valuable? (pardon my ignorance)
Edit: appears you answered in another thread.
> this dataset contains the unique national ID, home address, cell phone number, bank card number of 130 million Chinese. you also get to know who they shared a hotel room with. it is _not_ common.
Wait, from what I've heard, the programmer just uploaded a configuration file that contains the password of the database?
And oh boy, he's not the only one, Maybe GitHub can do something about it.
To the topic: This is the exact reason why I don't support any sort of system that log users personal information without user's control.
Because regardless how strong and secure you think your system is, all it takes is one careless action, then everything blows up.
the screenshot of the github file can be access here: https://www.secrss.com/articles/4851
and yes, that "programmer" pushed such highly sensitive company information to his personal github repo.
What is missing is a way to programmatically, and secretly, inform people of their mistakes. I've personally found literally hundreds of examples of this and lack the manpower to file that many tickets....
No, I said "careless" rather than "incompetent".
Lot's of things could go wrong and cause that, I don't comment on the detail until the reason of why the password end up been pushed to GitHub is explained.
Also, I suggest Please REMOVE anything that MAY help to locate the stolen information, including content of the advertising post (Can be keyword searched).
That's the kind of combination an idiot would have on his luggage!
Too true: https://github.com/search?q=spring.datasource.password%3D123...
Give me a couple of days and I'll create a fake -but real looking- set of records with millions of false customers (it would be made real enough by using public information)...
If you tell me that they'll provide an extract as "proof", I'll answer: it's easy to cook-up a realistic small sample, just using and remixing former leaks/hacks for instance...
In summary: the money aspect makes the data MUCH more suspicious than a "bragging/4tehLULz" hack.
I imagine its a similar scenario to how other dodgy markets work such as drugs or cryptolocker decryption keys, reputation and customer service mean a lot.
This wouldn't be a perfect method, but if the seller could do it then it would increase my confidence a lot.
I am pretty sure there are entries about me in the database (I am Chinese). It's damn embarrassing, people know me can know who I slept with if he pay 8 bitcoin now. Now I hope the price of bitcoins goes up.
https://help.github.com/articles/removing-sensitive-data-fro...
Removing it from the git history is almost irrelevant and just stops future people who find it from sniffing around. The crucial part is rotating the credentials and ensuring the credentials aren't used anywhere else.
The second step should be reviewing all logs to ensure no unauthorized logins occurred before the credentials were changed (even if the exposure was only exploitable for a few seconds).