Site icon Sophos News

Data breach in China: 100 million records used to hack 20 million Taobao users

Taobao.com is a Chinese buying-and-selling site, like eBay in the US.

Taobao is owned by China’s online giant, Alibaba, and offers what’s known as C2C, or consumer-to-consumer, retail.

In the online C2C world, where you’re not buying from a website, but rather through it, regular sellers succeed or fail on their history and reputation.

Creating a new, fraudulent account and trying to sell hooky goods is not enough, because a crook needs to build up some credibility – happy buyers, basically – before things really start to move.

The idea is that the ecosystem becomes self-policing, because you’ll quickly be outed and exposed if you rip people off, and the details of your treachery will be there for everyone to see, such as goods never sent, substandard products, dishonoured refunds and so on.

You could create your own additional network of fake accounts that publish glowing reviews, or that jump into online bidding to inflate your prices, but that’s hard to do convincingly.

Or you could go after other people’s logins in order to “borrow” their reputation, offer positive feedback in their name, or even to influence the bidding.

(If you accidentally win the bidding for your own item via someone else’s account, you can just logout and walk away, leaving the hapless user with the problem of a purchase that they refuse to go through with.)

That’s what seems to have been happening in China, in what seems to have been a data breach of staggering proportions.

As in many data breach cases, what actually happened isn’t yet clear, even though it started in October 2015.

what we think happened

What we don’t yet know

If it was a single breach of its own, this list of 100 million user identities would to be five times as big a breach as this one!

Taobao allows you to register an account using your phone number, a username, or your email address, so any list of working Chinese email addresses would be a fruitful starting point for a password guessing attack, where you just pick off the users with 12345678, qwertyuiop or 淘宝网 as their passwords.

But with plaintext passwords exposed from an earlier attack, the crooks wouldn’t need to guess at all; and with hashed passwords stolen, the crooks could have mounted an offline attack to figure out some of the passwords in advance.

Assume that your password wasn’t easily guessable “from scratch,” and that the stolen user account data had nothing to do with Alibaba in the first place, as claimed.

You’d have been safe on Taobao if you’d had a different password for every account, because the password figured out by the crooks from the original breach would be no use to them on any other site.

Rate limiting, which is where a service slows down or locks you out after too many unusual connection attempts, can be a huge barrier to cybercriminality.

ATMs do it, for example: even if you only have a 5-digit PIN on your bank card, it’s fairly safe because the machine cancels and swallows the card after three mistakes.

One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing.

Taobao, one imagines, would have to detect and react to different logins from the same or a similar part of the internet.

But Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region (here, from Alibaba’s cloud network), is all in a day’s work.

In cybersecurity, spotting attack patterns is often really easy…the second time it happens!

WHAT TO DO?


Exit mobile version