A repository containing a large number of user names and passwords for Chinese video-streaming site Bilibili was found on open-source software development platform GitHub, Chinese media reported on Monday.
The repository, called “Bilibili website backend codes,” has been taken down by GitHub “due to excessive use of resources,” said the company. It contained more than 50 megabytes of source code, according to a Reddit post dated Monday. A key opinion leader (KOL) on microblogging site Weibo posted two screenshots of the leaked codes, which has since been taken down. One screenshot shows the redacted username and password for a Bilibili user.
The repository was created by a GitHub user named “openbilibili,” who hasn’t uploaded any other projects. The GitHub profile shows the account was created in April.
Bilibili is a video-streaming website with a focus on providing content, particularly animation, comics, and games (ACG) to a younger user segment. It is backed by Chinese tech giants Alibaba and Tencent and listed on Nasdaq. The site had 92.8 million monthly active users as of end-2018.
Bilibili responded on Monday that the company had reviewed the leaked codes and found that they were from an older version of the website, according to The Paper (in Chinese). “We have taken defensive steps to ensure the accident won’t compromise user data security,” said the company.
Bilibili also said that it had reported the case to the authorities.
The GitHub repository had amassed at least 6,000 stars, a tool for users to bookmark a post, before it was taken down. However, downloading from GitHub is simple: On every repository page there is a “clone and download” button which allows users, even if they are not logged in to the website, to download the whole project as a compressed file.
GitHub is a web-based platform that developers use to collaborate on projects, helping developers track changes in source code during software development. However, the service has been used for other purposes, such as data leakage and protesting long working hours in China’s tech industry.
Another GitHub-linked data leak relating to Chinese tech company was revealed in March by Dutch cybersecurity researcher Victor Gevers, who discovered a publicly available trove of what appeared to be Huawei enterprise network credentials on the platform.