Alibaba suffers billion-item data leak of usernames and mobile numbers
Shopping service Taobao scraped by affiliate marketer; developer and boss jailed
Alibaba’s Chinese shopping operation Taobao has suffered a data breach of over a billion data points including usernames and mobile phone numbers. The info was lifted from the site by a crawler developed by an affiliate marketer.
Chinese outlet 163.com reported the case last week and today it was picked up by the Wall Street Journal.
Both reports state that a developer created a crawler that was able to reach beneath information available to the human eye on Taobao, and that the crawler operated for several months before Alibaba noticed the effort.
163.com suggests the source of the crawler was a company that makes money from affiliate referrals to Taobao, and that the site was scraped from November 2019 until Alibaba noticed the activity in July 2020. Alibaba notified authorities, an investigation commenced, and the matter landed in the People’s Court of Suiyang District — which in May convicted a developer and his employer of lifting the data.
Both were sentenced to three years inside.
Thankfully, the perps appear not to have shared the data, instead hoarding it for their own purposes.
- Beijing's new privacy rules ban apps collecting unnecessary data, require free service without data slurps
- Law prof: New Chinese data regulations make it 'very hard for foreign firms to comply'
- Beijing gives Ant Group the blessing to operate a consumer finance company
- China arrests over 1000 for using cryptocurrency to help launder proceeds of phone scams
News of the scraping incident comes as China increasingly seeks to rein in its web giants, to prevent them from gaining excess market power and to ensure they don’t collect more data than is needed for their everyday activities.
In this case, the court found that Alibaba and Taobao broke no laws. The companies could yet face sanctions for being lax, as web crawlers are far from unknown or impossible to anticipate.
Alibaba has reportedly ’fessed up to messing up — a rather different approach to that displayed by Facebook when news of over 500 million scraped customer records re-emerged in April 2021 and The Social Network™ suggested users should revisit their privacy settings to stop scrapers. ®
Registering for Chinese court reporting sites requires a code sent to a mobile phone. Our best efforts to secure one of those codes have been unsuccessful over a period of several months.