According to online security news source Naked Security, Taobao.com in China has been the victim of a massive data breach, with as many as 100 million records used to hack more than 20 million Taobao user accounts.
Founded in 2003 by China’s online giant Alibaba, Taobao is a consumer-to-consumer (C2C) buying and selling online website that operates in Chinese-speaking regions, similar to eBay or Amazon in the United States. Literally translated as “searching for treasure website,” the site provides a retail platform for small businesses and individual entrepreneurs to open online stores that mainly cater to consumers. With hundreds of millions of product listings it is one of the world’s most visited websites.
In the online consumer-to-consumer world, purchases are made through a website, rather than from a website. Regular sellers build—or lose—credibility; succeeding or failing based upon their history and reputation with customers. In this kind of selling environment the business becomes self-policing, as poor products, poor service, and inappropriate or illegal activity will quickly lead to the demise of the business based on consumer feedback.
However, the ability to create false accounts that publish positive feedback, or those that can jump into the online bidding process of auctions to illegitimately inflate prices, can greatly influence the profitability and reputation of the seller. This appears to be one of the primary objectives of the recent data breach.
While the details of the data breach are not fully known at this time, it appears that cyber criminals illegally gained access to nearly 100 million email addresses and passwords from an unknown source. Taobao allows you to register an account using your phone number, a username, or your email address.
Beginning in October 2015 these cyber criminals began trying to access the accounts, managing to gain access to almost 21 million Talbao accounts based on the access to existing account information from the data breach. These accounts were then used for fake reviews and fake bidding to enhance the reputation of seller accounts and raise prices of products by creating false bidding wars on auctions.
According to cyber security experts, spotting some of these attack patterns following a data breach is often relatively easy to identify—the second time it happens. Unfortunately, with 21 million opportunities it could take some time to sort it all out.
Taobao users have been encouraged to change passwords using new password combinations that are both strong and unique to the user, and to monitor activity to look for unauthorized use.