Chinese police arrest hackers after Alibaba detects attack

Feb 6, 2016 23:05 GMT  ·  By

The Chinese Ministry of Public Security has announced it arrested a group of hackers that tried to hack into over 20.59 million TaoBao.com accounts, Reuters reports.

TaoBao is one of Alibaba's subsidiaries, an eBay-like site where users can buy and sell their products at the prices they choose.

According to an announcement on the Ministry's website, local authorities apprehended a group of cyber-crooks that employed some sort of automated attack and tried to hack into TaoBao accounts.

The hackers, who haven't been named yet, got their hands on a database of 99 million username and password combos from multiple other breached websites.

Another case of password reuse puts users at risk

In October, using Alibaba's cloud computing platform, the hackers started to test these username-password combos on TaoBao's platform.

Even if none of the user details were leaked from Alibaba or TaoBao's infrastructures, the hackers were hoping that password reuse was in play, and some of the username-password combos were also valid on TaoBao's portal.

According to Chinese authorities, the hackers discovered that over 20.59 million of their 99 million accounts were also valid TaoBao login credentials.

Alibaba observed their attack in November and reported the incident to Chinese authorities.

Alibaba blocked most log-in attempts

Alibaba says that the vast majority of log-in attempts were thwarted, but the hackers did manage to breach some accounts.

The hacker group then used these compromised accounts to place fake orders to their own accounts and boost their sale reputation before using them to commit fraudulent transactions.

Just this past week, a similar type of incident was reported by luxury retailer Neiman Marcus, owner of brands like Alexander McQueen, Carolina Herrera, Dolce & Gabbana, Givenchy, Jimmy Choo, and Valentino.

Just like with the Alibaba incident, the hackers behind the cyber-attack used username-password combos from previous breaches and tried to see if they fitted any current accounts on various Neiman Marcus websites, also employing an automated log-in system.