Alibaba's e-commerce site TaoBao, appears to have been the victim of an attack that reused stolen account credentials, such as passwords and usernames from third party sites.
A Reuters report claims that China's Ministry of Public Security said that the hackers used a database of 99 million usernames and passwords, which they entered into Alibaba's cloud network in a brute force attack. It is believed that 20.6 million accounts and passwords were successful, which allowed the hackers to buy products and post fake reviews. TaoBao, like eBay, is a reputation based seller-to-seller market place where reputation counts very highly so boosting an accounts reputation via fake reviews can be a big bonus.
The massive brute-force attack took place between October and November, without Alibaba's crack security team noticing these millions of failed login attempts. However, the attacks are most likely to have gone undetected due to the vast amount of traffic that TaoBao receives in a day and the fact that the hackers may only have needed try each username/password combination once.
Sophos' security man Paul Ducklin says: "One problem in this case is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing."
"Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even it they come from the same internet region - Alibaba’s cloud network - is all in a day’s work."