Hackers acquired a database of 99 million user names and passwords from other sites, and found plenty that worked on Taobao too.
Back in October last year, hackers attempted to access over 20 million accounts on Taobao, an online shopping site similar to Amazon owned by corporate giant Alibaba, according to a Reuters report that relies on a number of articles from Chinese state media and government.
The hackers originally obtained a database of 99 million usernames and passwords from various websites. From here, they found that 20.59 million of those were also being used for accounts on Taobao, by using Alibaba's cloud computing service to input the credentials.
The compromised accounts were then used to make fake orders so as to erroneously boost sellers' ratings, and the hackers also sold a number of the accounts themselves, the report continues.
Indeed, Taobao has been used to sell hacked iTunes accounts previously.
The attack was detected in November, and Alibaba reported the case to the police. The hackers responsible have reportedly been arrested.
Alibaba did not immediately respond to a request for comment from Motherboard.
The lesson: It appears that these accounts were accessed because the username and password combinations used for Taobao were the same as other sites that had been targeted earlier. When one site is hacked, or its database obtained, attackers can then trivially attempt to use those details on any other site. For that reason, it's crucial to always use a unique password on every different service. A password manager is perhaps the easiest way of doing this: the software will generate new passwords whenever needed.
Update: An Alibaba Group spokesperson offered the following statement: ""Alibaba's system was never breached. This incident involved suspects using account login information stolen from other websites to attempt to match with Taobao accounts. Our world-class security team detected these criminal attempts in the first instance and mitigated the potential effects by swiftly reminding users to change their passwords and not use the same password on multiple platforms. We also worked very closely with the police to provide clues from analysis derived from our technology to aid the authorities to bring these criminals to justice. Alibaba takes security seriously and we do everything possible to protect our users. "