Attackers have leveraged duplicate login credentials to compromise approximately 21 million accounts on Alibaba Group’s Taobao ecommerce website.
According to a report on a website managed by the Chinese Ministry of Public Security, the attack first began when a group of computer criminals obtained access to a database of 99 million usernames and passwords for other websites.
Reuters writes that the attackers then used Alibaba’s cloud computing platform to input those credentials in order to see if some Taobao account holders had duplicated their logins across websites.
Of the 99 million usernames they inputted, the criminals found that 20.59 million were also being used for Taobao.
In October, the attackers first began inputting the credentials into Taobao. When they came across a match, they faked orders using the compromised account as a means to artificially raise sellers’ rankings. They also sold many of the accounts to fraudsters.
Alibaba ultimately got wise to the attack campaign and reported the case to the police in November. The suspects have since been caught, reports the Chines Ministry of Public Security.
The attack “highlights a common practice in cyber-attacks and a common misstep in users managing their passwords – using the same password across multiple services,” wrote Yishai Beeri, CloudLock director of cybersecurity research, in an email to SCMagazine.com.
A spokesman for Alibaba has been careful to point out that Alibaba’s systems were never breached. They have also urged users to change their passwords, especially if their credentials are currently duplicated across other websites.
This attack represents just the latest event among a growing list of security incidents involving companies based in China.
Back in November, the Hong Kong toy maker VTech confirmed a hack of its Learning Lodge app database that contained the personal information of five million customers. Some of the exposed data related to the customers’ children.