Alibaba security fail: Brute-force bonanza yields 21m logins

'Crack security team' didn't notice attempt to log in 99 million times


Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to stolen credentials reused on breached third-party sites.

TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales.

Reuters reports that China's Ministry of Public Security said the hackers used a database brimming with 99 million usernames and passwords, which they entered into Alibaba's cloud network. Doing so showed that 20.6 million passwords were accurate and linked to TaoBao accounts.

The epic brute force siege lasted from mid-October to November, using compromised accounts to buy products and post fake reviews to bolster seller reputation.

The attacks were immediately reported to police. Six people have been arrested.

Alibaba says its systems were not breached and adds that it has reminded users not to reuse passwords.

It has not commented on how its "world-class security team" failed to detect the likely millions of failed rapid-fire bot entries into its login portals until weeks after it begun.

Sophos security man Paul Ducklin says the attack may have flown under TaoBao's radar since only a few common passwords needed to be used in order to gain access to a large number of accounts.

"One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing," Ducklin said.

"Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region - Alibaba’s cloud network - is all in a day’s work."

Ducklin says the attack serves as a warning for web site owners to apply login rate limiters and for users to deploy two factor authentication and ensure passwords are not reused. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022