Alibaba security fail: Brute-force bonanza yields 21m logins

'Crack security team' didn't notice attempt to log in 99 million times


Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to stolen credentials reused on breached third-party sites.

TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales.

Reuters reports that China's Ministry of Public Security said the hackers used a database brimming with 99 million usernames and passwords, which they entered into Alibaba's cloud network. Doing so showed that 20.6 million passwords were accurate and linked to TaoBao accounts.

The epic brute force siege lasted from mid-October to November, using compromised accounts to buy products and post fake reviews to bolster seller reputation.

The attacks were immediately reported to police. Six people have been arrested.

Alibaba says its systems were not breached and adds that it has reminded users not to reuse passwords.

It has not commented on how its "world-class security team" failed to detect the likely millions of failed rapid-fire bot entries into its login portals until weeks after it begun.

Sophos security man Paul Ducklin says the attack may have flown under TaoBao's radar since only a few common passwords needed to be used in order to gain access to a large number of accounts.

"One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing," Ducklin said.

"Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region - Alibaba’s cloud network - is all in a day’s work."

Ducklin says the attack serves as a warning for web site owners to apply login rate limiters and for users to deploy two factor authentication and ensure passwords are not reused. ®


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022