Full Report
In 2011, the China Software Developer Network (CSDN) suffered a data breach that exposed over 6M user records. The data included email addresses alongside usernames and plain text passwords.
Analysis Summary
# Incident Report: CSDN Data Breach (2011)
## Executive Summary
In December 2011, the China Software Developer Network (CSDN) experienced a significant data breach resulting in the exposure of over 6 million user records. The compromised data included sensitive PII such as usernames, email addresses, and crucially, passwords stored in plain text. The breach serves as a critical reminder of the risks associated with insecure data storage practices.
## Incident Details
- Discovery Date: November 27, 2025 (Date added to HIBP, external public disclosure date is not explicitly stated but the breach occurred in 2011)
- Incident Date: December 2011 (Breach Occurred)
- Affected Organization: China Software Developer Network (CSDN)
- Sector: Technology/Online Developer Community
- Geography: China
## Timeline of Events
### Initial Access
- Date/Time: December 2011
- Vector: Not explicitly detailed in the source material. It is strongly implied that the vector exploited a weakness in the organization's systems that allowed unauthorized access to the database.
- Details: Attackers gained access to the user database server.
### Lateral Movement
- Not detailed in the source material. Given the extent of the data access (full database extract), lateral movement was likely either unnecessary or involved focusing on the database systems themselves.
### Data Exfiltration/Impact
- **Data Exfiltrated:** Usernames, email addresses, and plain text passwords for approximately 6.4 million accounts.
### Detection & Response
- **Detection:** The breach was publicly recognized/indexed significantly later (e.g., added to HIBP on Nov 27, 2025, indicating persistent public awareness/impact status). Initial operational detection timeline is absent.
- **Response Actions:** The provided material focuses on recommended actions for affected users (change passwords, enable 2FA) rather than specific organizational response steps taken by CSDN at the time.
## Attack Methodology
- Initial Access: Unknown/Implied system vulnerability exploitation.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Gained direct access to credentials/passwords stored in **plain text**.
- Discovery: Implied internal reconnaissance to locate and dump user data tables.
- Lateral Movement: Not detailed.
- Collection: Mass retrieval/dumping of user database tables.
- Exfiltration: Transfer of the compromised 6.4M user records.
- Impact: Credential compromise across possibly multiple other platforms due to credential reuse.
## Impact Assessment
- Financial: Not detailed.
- Data Breach: **6.4 million user records** exposed. Data included usernames, email addresses, and **plain text passwords**.
- Operational: Not detailed regarding internal system downtime.
- Reputational: Significant long-term damage due to the highly sensitive nature of the exposed data (plain text passwords).
## Indicators of Compromise
- **Network indicators:** None provided (defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Direct database access/dump suggestive of SQL injection or compromised credentials/administrator access.
## Response Actions
- **Containment:** Not detailed.
- **Eradication:** Not detailed.
- **Recovery actions (User-Recommended):** Affected users were advised to immediately change passwords on all accounts where the compromised credentials were used and to enable Two-Factor Authentication (2FA) where supported.
## Lessons Learned
- **Storage Security Failure:** The primary failure was storing user passwords in **plain text**. This practice automatically maximizes the impact of any data breach, as all credentials are immediately usable by the attacker.
## Recommendations
- **Password Hashing:** Immediately implement robust, one-way cryptographic hashing algorithms (e.g., Argon2, bcrypt) with appropriate salting for all stored passwords.
- **Data Minimization:** Review and purge unnecessary user data that is not absolutely essential for service functionality.
- **Incident Communication:** Establish clear protocols for promptly notifying affected users and the public when a breach is confirmed.