Alibaba’s Taobao Market Sees 20M User Accounts Compromised By Hackers

Alibaba’s Taobao eCommerce marketplace has come under attack from hackers who attempted to access over 20 million active accounts, according to a state media report posted on the Chinese Internet regulator’s website. Hackers reportedly attempted to crack the site using Alibaba’s own cloud computing services.

The attempted security breach has been tough on Alibaba’s bottom line — the price of the firm’s shares took a 3.7 percent hit in late-day trading.

According to a spokesperson, Alibaba detected the attack in “the first instance.” The firm also noted that users ought to change their passwords.

Taobao is one of many Chinese sites that have recently come under attack by cybercriminal gangs — a challenge that Chinese firms are increasingly learning is more difficult to be rid of then it might seem on first glance.

As many as 99 million usernames and passwords have been hacked of late, according to a different report from the state Ministry of Public Security. And those stolen IDs were instrumental to the recent Taobao hack; after harvesting the user data, hackers then input the 99 million names into the marketplace and found that 20 million or so were a match.

The hackers started their efforts in mid-October and were discovered by Alibaba in November, at which time the breach was immediately reported to police. The hackers involved have since been apprehended.

Alibaba’s systems discovered and blocked the vast majority of login attempts. The hackers’ chosen method of theft is known as “brushing,” meaning they used compromised accounts to make fake orders — a tactic that is used to boost a seller’s rating.

And, of course, the accounts were also sold to fraudsters.

“Alibaba’s system was never breached,” an Alibaba spokesman noted — technically true, since it was actually the breach of other sites that allowed thieves with good inductive reasoning skills to access Taobao.

Alibaba also confirmed that hackers had rented cloud computing services from the company but did not comment on security measures used to repel such attacks. It was also noted that the use of Alibaba’s cloud services as the launchpad to the attack was unfortunate but not significant — the attack could have come from any cloud computing platform.