Naked Security Naked Security

Data breach in China: 100 million records used to hack 20 million Taobao users

A massive breach - but what actually happened?

Taobao.com is a Chinese buying-and-selling site, like eBay in the US.

Taobao is owned by China’s online giant, Alibaba, and offers what’s known as C2C, or consumer-to-consumer, retail.

In the online C2C world, where you’re not buying from a website, but rather through it, regular sellers succeed or fail on their history and reputation.

Creating a new, fraudulent account and trying to sell hooky goods is not enough, because a crook needs to build up some credibility – happy buyers, basically – before things really start to move.

The idea is that the ecosystem becomes self-policing, because you’ll quickly be outed and exposed if you rip people off, and the details of your treachery will be there for everyone to see, such as goods never sent, substandard products, dishonoured refunds and so on.

You could create your own additional network of fake accounts that publish glowing reviews, or that jump into online bidding to inflate your prices, but that’s hard to do convincingly.

Or you could go after other people’s logins in order to “borrow” their reputation, offer positive feedback in their name, or even to influence the bidding.

(If you accidentally win the bidding for your own item via someone else’s account, you can just logout and walk away, leaving the hapless user with the problem of a purchase that they refuse to go through with.)

That’s what seems to have been happening in China, in what seems to have been a data breach of staggering proportions.

As in many data breach cases, what actually happened isn’t yet clear, even though it started in October 2015.

what we think happened

  • The crooks acquired a database of close to 100 million email addresses and passwords from an unknown source, presumably one or more previous breaches, none to do with Alibaba.
  • Starting in October 2015, the crooks used servers hosted on Alibaba’s cloud server platform to try all these email addresses in Taobao logins.
  • The crooks actually managed to log in to nearly 21 million Taobao accounts, thanks to the existing account information.
  • The hacked accounts were exploited for fake reviews and fake bidding, as described above.

What we don’t yet know

  • Where did the original, giant database of login information came from?

If it was a single breach of its own, this list of 100 million user identities would to be five times as big a breach as this one!

  • Did the original data include plaintext passwords, hashed passwords, or password hints?

Taobao allows you to register an account using your phone number, a username, or your email address, so any list of working Chinese email addresses would be a fruitful starting point for a password guessing attack, where you just pick off the users with 12345678, qwertyuiop or 淘宝网 as their passwords.

But with plaintext passwords exposed from an earlier attack, the crooks wouldn’t need to guess at all; and with hashed passwords stolen, the crooks could have mounted an offline attack to figure out some of the passwords in advance.

  • Would victims have avoided trouble by following our advice of “one account, one password.”

Assume that your password wasn’t easily guessable “from scratch,” and that the stolen user account data had nothing to do with Alibaba in the first place, as claimed.

You’d have been safe on Taobao if you’d had a different password for every account, because the password figured out by the crooks from the original breach would be no use to them on any other site.

  • Should the Taobao authentication servers have spotted the repetitious login attempts by the crooks as suspicious?

Rate limiting, which is where a service slows down or locks you out after too many unusual connection attempts, can be a huge barrier to cybercriminality.

ATMs do it, for example: even if you only have a 5-digit PIN on your bank card, it’s fairly safe because the machine cancels and swallows the card after three mistakes.

One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing.

Taobao, one imagines, would have to detect and react to different logins from the same or a similar part of the internet.

But Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region (here, from Alibaba’s cloud network), is all in a day’s work.

In cybersecurity, spotting attack patterns is often really easy…the second time it happens!

WHAT TO DO?

  • If you’re a Taobao user, change your password if you haven’t been forced to already. This time, make sure you choose something strong and unique.
  • Turn on 2FA for services that support it. 2FA is two-factor authentication, where you need a one-time code as well as your password every time you log in.
  • Watch those logs. If you run online services of your own, get into the habit of looking for suspicious activity. You may not yet know what patterns will reveal future attacks, but if you don’t look, you’ll definitely never spot them.
  • Apply some sort of rate limiting on your login pages. You can give crooks a generous allowance of failed logins and still slow then down enormously, without having any effect on legitimate users. Too many different logins from the same place, too many identical logins from different places, and too many failed passwords for the same account, are obvious warning signs.