Data Leak At Alibaba’s Shopping Site Taobao Exposed Billion Bits Of User Info

China, Data leak, alibaba, taobao, online shopping, user data, web-crawling software, verdict

A Chinese software developer used web-crawling software to scrape 1.1 billion pieces of data from Alibaba’s Taobao shopping platform, the Wall Street Journal (WSJ) reported on Tuesday (June 15), referring to a court verdict in China.

The data leak included user IDs, mobile phone numbers and user comments, WSJ reported, citing the verdict that was recently released by a district court in China’s central Henan province.

The court said that Alibaba reported the data leak to the police when the breach was noticed, WSJ reported. Taobao is among the most popular shopping platforms in China. Every month, approximately 925 million use Taobao and other Alibaba retail sites, according to the company.

The verdict didn’t hold Alibaba accountable for the leak, but the company could be hit with administrative penalties under the 2017 cybersecurity law, You Yunting, a senior partner at Shanghai Debund Law Offices, told WSJ.

According to the Henan court filing, a software developer with the last name Lu scraped the site using a tool he developed on the Taobao platform in 2019. Lu started siphoning bits of user data from the site, which then was handed over to Lu’s employer, a promotions firm that worked with Taobao merchants, WSJ reported. The employer used the data to find new clients and claim Taobao coupons, per the report.

Both Lu and the unnamed employer were sentenced to over three years in prison, WSJ reported. Chinese court rulings are generally released to the public months after the verdict and usually only include surnames, the article indicated.

China’s new Data Security Law was passed in April and makes the data collected from private companies operating in the country subject to government oversight. The new legislation, which stems from the country’s 2017 Cybersecurity Law, takes effect on September 1.

The COVID-19 pandemic triggered a wave of new cyberattacks in the U.K., more than double the number in 2019 — 304 attacks in 2020 compared to 146 the year before. Dark web marketplaces are known for the buying and selling of stolen user data, PYMNTS reported last month. By some estimates, over 15 billion credentials are available on the dark web, with 5 billion stolen credentials containing unique username and password combinations.