https://threatpost.com/oauth-2-0-hac...acking/121889/

looks like the chinese have busted it.