Login duplication allows 20m Alibaba accounts to be attacked

Share this…

The reuse of login details on Alibaba’s Taobao has allowed an attack on 5 percent of the accounts on Alibaba’s Chinese retail sites.

Hackers in China have attempted to access over 20 million active accounts on Alibaba Group’s Taobao ecommerce website using Alibaba’s own cloud computing service, state media reports.

An Alibaba spokesman said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.

Chinese companies are grappling a sharp rise in the number of cyber attacks, and cybersecurity experts say firms have a long way to go before defences catch up to US counterparts.

In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.

Login duplication allows 20m Alibaba accounts to be attacked

The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.

It also said the hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police. The website said the hackers have since been caught.

According to the ministry website, Alibaba’s systems discovered and blocked the vast majority of login attempts.

The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, a local newspaper said. The hackers also sold accounts to be used for fraud, it said.

Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.

“Alibaba’s system was never breached,” the spokesman said.

The number of accounts, 20.59 million, represents about one out of every 20 annual active buyers on Alibaba’s China retail marketplaces.

In results posted earlier this week, Alibaba announced a 23 percent increase in revenue year-on-year to 77 million yuan, with net income jumping by 68 percent to 66 million yuan. The company said the increase in revenue was due to continued rapid growth of its China commerce retail business.

Alibaba also announced this week that it led a $793.5 million investment round for Florida-based augmented reality firm Magic Leap, with continued investment from Google and Qualcomm.

“We invest in forward-thinking, innovative companies like Magic Leap that are developing leading products and technologies,” Joe Tsai, executive vice chairman at Alibaba, said. “We believe Alibaba can both provide support to and learn from such a partner, and we look forward to working with the Magic Leap team.”

In November, the company bought out the remaining shares in online video website Youku Tudou in a deal valued at about $3.7 billion. Alibaba previously held 18.3 percent share in the online video company, and following the purchase, would gain access to more than 580 million online video users a month, further bolstering its play in the Chinese digital media market. The deal is expected to be finalised in the first quarter of 2016.

Analysts said the report of the login attack led to the price of Alibaba’s US-listed shares falling as much as 3.7 percent in late Wednesday trade.