
Hackers sell data of 130M Chinese hotel guests on dark web for 8 Bitcoin - rapnie
https://thenextweb.com/hardfork/2018/08/29/china-bitcoin-data-dark-web/
======
rqs
> The company's developers accidentally uploaded the entire database to Github

Wait, from what I've heard, the programmer just uploaded a configuration file
that contains the password of the database?

And oh boy, he's not the only one, Maybe GitHub can do something about it.

To the topic: This is the exact reason why I don't support any sort of system
that log users personal information without user's control.

Because regardless how strong and secure you think your system is, all it
takes is one careless action, then everything blows up.

~~~
dis-sys
please don't over estimate their skills and qualification. the leaked database
username is root and the password is 123456.

the screenshot of the github file can be access here:
[https://www.secrss.com/articles/4851](https://www.secrss.com/articles/4851)

and yes, that "programmer" pushed such highly sensitive company information to
his personal github repo.

~~~
subcosmos
This happens so frequently, and is easy to scan for, sadly.

What is missing is a way to programmatically, and secretly, inform people of
their mistakes. I've personally found literally hundreds of examples of this
and lack the manpower to file that many tickets....

~~~
jjoonathan
Missing? I thought they already did that. IIRC a couple of my teammates
reported getting emails from github about accidentally uploading AWS
credentials and the like.

------
weej
Folks, please remember to PURGE GIT COMMIT HISTORY of the file. It does no
good to simply remove a password if it's there in plain (historical) sight.

[https://help.github.com/articles/removing-sensitive-data-
fro...](https://help.github.com/articles/removing-sensitive-data-from-a-
repository/)

~~~
stevekemp
And obviously rotate the exposed credentials - because even if it was only
public for "a while" it could have been viewed by many users.

~~~
meowface
Plus it could've been archived by another website or a private scraping tool
which looks for exactly these sorts of exposures.

Removing it from the git history is almost irrelevant and just stops future
people who find it from sniffing around. The crucial part is rotating the
credentials and ensuring the credentials aren't used anywhere else.

The second step should be reviewing all logs to ensure no unauthorized logins
occurred before the credentials were changed (even if the exposure was only
exploitable for a few seconds).

------
dis-sys
For me, the shocking part is not that someone selling such private data
online. The really scary thing is the fact that such a doggy company with no
privacy & network security concepts whatsoever actually managed to collect
private data from 130 million people in a few years.

btw, the database was not uploaded to github, some moronic programmer hard
coded the url/username/password of their database into a source file and
uploaded that to github. As expected, the database can easily be accessed from
the internet and more than 100G of data was stolen without being noticed.

~~~
fosco
Agreed.

compared to exactis and and experian leaks though, I am wondering what makes
this data valuable? (pardon my ignorance)

Edit: appears you answered in another thread.

> this dataset contains the unique national ID, home address, cell phone
> number, bank card number of 130 million Chinese. you also get to know who
> they shared a hotel room with. it is _not_ common.

------
crtasm
Points lost for claiming VPNs are a way to access the dark web. Points gained
for referring to Tor as a privacy oriented tool.

~~~
sanityvampire
They got that it's a privacy-related thing, but they still called it a
browser...

~~~
frockington
I'm always conflicted on how "correct" articles like this should be. I would
prefer that they were more accurate when it comes to technology, but for the
average reader (who might leave a password in git) it might be better to over
simplify

------
northfoxz2015
wondering if there is a service to be built selling data through
cryptocurrencies...

------
djstein
so something that happens everyday is news worthy why? because he undersold?
or is this type of data so common that it was only worth 50k USD?

~~~
dis-sys
this dataset contains the unique national ID, home address, cell phone number,
bank card number of 130 million Chinese. you also get to know the exact time
and duration of who they shared a hotel room with. it is _not_ common.

~~~
TeMPOraL
> _you also get to know the exact time and duration of who they shared a hotel
> room with. it is _not_ common._

This is Ashley Madison territory. A goldmine for extortions.

------
LarryL
Ignoring the moral/ethics concerns, how would a potential buyer know that the
data is legit (if it even exists at all?).

Give me a couple of days and I'll create a fake -but real looking- set of
records with millions of false customers (it would be made real enough by
using public information)...

If you tell me that they'll provide an extract as "proof", I'll answer: it's
easy to cook-up a realistic small sample, just using and remixing former
leaks/hacks for instance...

In summary: the money aspect makes the data MUCH more suspicious than a
"bragging/4tehLULz" hack.

~~~
swarnie_
Reputation and repeat business. You might get away with selling fake
information once, i highly doubt you would get away with it twice.

I imagine its a similar scenario to how other dodgy markets work such as drugs
or cryptolocker decryption keys, reputation and customer service mean a lot.

~~~
21
For hackers good opsec would require them to use a new persona for each
separate hack. Compartimentalization. Linking separate hacks together is a
really bad idea.

