Hacked JD.com Customer Data Being Traded, Reports Say
(Beijing) — Massive amounts of user data allegedly hacked three years ago from JD.com, China's largest business-to-consumer e-commerce platform, have been traded on the black market, Chinese media reported Sunday, putting the company's data security under the spotlight.
The company admits some customer information was stolen through a security loophole in 2013 but cannot verify the extent of the breach.
JD.com claims that security vulnerabilities were promptly fixed three years ago, and exposed users were given "strong recommendations" to change their passwords the next time they logged on to JD.com's system. "However, a small number of users failed to upgrade their accounts passwords, making them susceptible to risk," JD.com said.
A 12-gigabyte package of JD.com user data with complete sets of personal information was stolen, reported Yibencaijing, a FinTech news outlet. The lists include user names, citizen ID numbers, passwords, e-mail addresses and cellphone numbers.
Yibencaijing said much of the account information is still valid and can be used to log on to JD.com.
JD.com is still verifying whether all of the alleged 12GB of data was leaked through the company. However, it acknowledges that batches of information shown in screenshots from the report were hacked from the platform three years ago using a security loophole. JD.com said it has reported the case to Beijing police.
"The reason that this is surfacing three years later is that hackers typically maximize data utility before selling it off," says Tan Jianfeng, founder of cybersecurity company People2000, referring to "crashing bases," a practice in which cybercriminals attempt to crack accounts across platforms by trying the same leaked user name and passwords. "It's also possible that JD.com's competitors had a hand in this," he said.
"The question now is whether JD.com actively took sufficient measures to notify users of their risk," said Goodwell, one of the earliest cybersecurity experts in China. "Security issues are hard to avoid today. A company must ensure loopholes get closed, no exceptions.
"It's possible that JD.com downplayed the severity of the matter at the time to avoid panic."
JD.com has been plagued by similar data leaks in recent years. In 2015, JD.com users lost millions of yuan due to information leaks, which were revealed a year later to be the result of three employees stealing more than 9,000 pieces of user information.
The security vulnerabilities cited by JD.com were part of Strut 2, an open source web development project led by the Apache Software Foundation. The flaws resulted in mass information leaks and Web-page tamperings that affected JD.com as well as other major websites, including Taobao, the State Grid and some state-owned banks.
The only way to fortify accounts is by frequently reset passwords and use different personal identification numbers for each platform, said Chen Liang, head of Open Web Application Security Platform, a global information security organization in Beijing.
Chen said he is puzzled by the scale of the leaks, with possibly hundreds of thousands of pieces of information. "With the major online platforms clamping down on user security, massive leaks are now rare," he said.
Contact reporter April Ma (firstname.lastname@example.org)
Feb 24 18:02
Feb 24 17:28
Feb 24 14:15
Feb 24 14:04
Feb 24 13:10
Feb 22 03:07
Feb 21 14:54
Feb 20 17:29
Feb 20 15:19
Feb 20 14:58
- 1Another Study Claims Wuhan Seafood Market May Not Be Source of Covid-19 Outbreak
- 2Coronavirus Among Medics More Widespread Than Reported, Research Shows
- 3Coronavirus Friday Update: ‘No Turning Point Yet,’ Politburo Meeting Finds; Cases in Iran ‘Worrisome,’ WHO Says
- 4Coronavirus Tuesday Update: Cabinet Waives Employers’ Welfare Contribution, First Biopsy Study Unveils How Covid-19 Hurts Patients
- 5Coronavirus Sunday Update: Iran Reports 8 Deaths; Chinese Researchers Doubt Wuhan Virus Origin
- 1Power To The People: Pintec Serves A Booming Consumer Class
- 2Largest hotel group in Europe accepts UnionPay
- 3UnionPay mobile QuickPass debuts in Hong Kong
- 4UnionPay International launches premium catering privilege U Dining Collection
- 5UnionPay International’s U Plan has covered over 1600 stores overseas