According to various reports through Chinese-language news outlets, police in China recently held a press conference outlining an extensive data breach at the taobao.com e-commerce website, China’s equivalent to eBay. The breach involved a criminal gang successfully gaining access to 20.59 million user accounts at Taobao by breaking into a database on Alibaba Group’s cloud service platform AliCloud.

But according to an Alibaba spokesperson, the data stolen did not belong to Taobao, and the attackers simply ran the user/pass combos into the popular Taobao hoping to get matches from consumers using duplicate logins across a number of sites – with an extraordinarily high success rate.

Various Chinese language sites are carrying the story, including MyDrivers, ce.cn and Techweb.

taobao-data-breach-usresPolice in Zhejiang held a conference on Monday regarding the attack, which took place between 14-15 October 2015, announcing also that in the same month they arrested up to 25 suspects in Fujian province in relation to the case.

Though no disclosure has been made regarding any loss to Taobao users who were affected, police also announced a separate enquiry into an earlier 2015 attack against Alibaba’s international business-to-business platform alibaba.com. In this case the criminals were able to gain access to a prominent seller account via a spear-phishing campaign, and ultimately to defraud overseas buyers of more than $1 million, leading to 1,700 complaints of non-delivery by August of 2015.

Taobao is the 12th most popular internet site in the world, and the 3rd most popular in China, according to Alexa, with an estimated 265 million registered users. Reports indicate that the stolen database contained 99 million users’ details.

Though this may indicate that 15-20% of all Taobao users were duplicating their user/pass details across numerous sites, the actual percentage is obscured by the fact that Taobao began to intercept and take action to protect users’ accounts when it noticed the extraordinary and suspicious onslaught of automated login behaviour following the data theft. Therefore the percentage could actually be higher than 20. It certainly isn’t any less, if the figures are to be believed.

Subsequent to the attack, Taobao blocked certain features of the site for affected users until they completed a password change. Police are not yet certain if other platforms have been affected by the data breach.