Massive Brute-Force Attack on Alibaba Affects Millions

Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to a massive brute-force attack.

According to China's Ministry of Public Security, TaoBao, a commerce site that could be considered the eBay of China, was the subject of an ongoing offensive that lasted from mid-October to November. Using a database of 99 million usernames and passwords, the attackers managed to compromise 20.6 million accounts—or one in five.

 “The recent cyber-attack on Alibaba is a prime example of the compounding effect that breaches have,” said Eric Chiu, president and co-founder at HyTrust. “Many consumers use the same credentials across their personal and work accounts, which means that data stolen in one breach can be used to access other accounts in order to steal money or gather more data to go after a bigger prize. This should be a reminder for companies to encrypt any sensitive or customer data, especially given the move to cloud environments, as well as for consumers to use different credentials for each account they open in order to protect themselves in case their data is stolen.”

Dave Martin, security expert and director at NSFOCUS IB, added, “Certainly, some of the accounts were compromised because of overlapping passwords, but there were likely many accounts stolen due to weak passwords that were defeated using brute force password attacks. This case is a reminder to users that they should create both a unique and strong password for every online account.”

Alibaba said that its systems were not breached—but there’s some question as to why the campaign wasn’t detected earlier.

 “One other aspect that’s worth noting is that the attackers used servers rented from Alibaba themselves to conduct the attacks,” Martin said. “While these attacks are usually detected by examining authentication logs, network-based security applied in the egress or outbound direction from the cloud computing servers could also have prevented or identified this fraudulent activity much sooner.”

In any event, the breach points out that for the most part, the hackers have time on their side.

“It’s currently relatively easy—based on the evidence—to breach a network, study it and expropriate whatever data you want. It highlights yet again the need for effective post–infection detection,” said Richard Greene, CEO of Seculert.

Photo © Evan Lorne/

What’s Hot on Infosecurity Magazine?