Hackers Attack 20.59 Million Accounts Of Alibaba’s Taobao Marketplace

Chinese e-commerce giant Alibaba said Thursday that hackers tried to access more than 20 million active user accounts on its Taobao marketplace. A company spokesman said its security experts detected the attack in the first instance, and were able to protect a vast majority of those accounts by blocking hackers’ attempts. Hackers succeeded in accessing a small number of accounts, but the company declined to disclose the number of accounts accessed by hackers.

Hackers Attack 20.59 Million Accounts Of Alibaba's Taobao Marketplace

Suspects have been arrested

Alibaba said suspects have already been arrested. In recent years, Chinese companies have seen a sharp rise in the number of cyber attacks. Even though Alibaba has about 400 million monthly active users, security experts believe that the Chinese company has a long way to go before its defenses catch up with its US counterparts.

The Hangzhou-based company said hackers had stolen the database of 99 million users from other websites. They started inputting the stolen account login information on Taobao, and found that the stolen database matched that of 20.59 million Taobao users. The attackers started inputting the login details into Taobao in mid-October, and were discovered in November. Alibaba had immediately reported the case to police, and asked its users to change their passwords.

Hackers rented Alibaba’s cloud service

A local newspaper said the attackers used compromised accounts to place fake orders on Taobao. Called brushing, the practice of faking orders to beef up sellers’ rankings is a major issue in China. The hackers also sold those user accounts to others to be used for fraud. An Alibaba spokesman said hackers had rented the company’s cloud computing service, but added that the hacking attempt was not aided by any loopholes in Alibaba’s cloud platform.

A major problem is that most people use the same username and password combinations for multiple websites. If hackers obtain user details by accessing database from one platform, they may try the same combination on multiple sites to hack user accounts.