Caixin
Dec 12, 2016 07:46 PM
BUSINESS & TECH

Hacked JD.com Customer Data Being Traded, Reports Say

(Beijing) — Massive amounts of user data allegedly hacked three years ago from JD.com, China's largest business-to-consumer e-commerce platform, have been traded on the black market, Chinese media reported Sunday, putting the company's data security under the spotlight.

The company admits some customer information was stolen through a security loophole in 2013 but cannot verify the extent of the breach.

JD.com claims that security vulnerabilities were promptly fixed three years ago, and exposed users were given "strong recommendations" to change their passwords the next time they logged on to JD.com's system. "However, a small number of users failed to upgrade their accounts passwords, making them susceptible to risk," JD.com said.

A 12-gigabyte package of JD.com user data with complete sets of personal information was stolen, reported Yibencaijing, a FinTech news outlet. The lists include user names, citizen ID numbers, passwords, e-mail addresses and cellphone numbers.

Yibencaijing said much of the account information is still valid and can be used to log on to JD.com.

JD.com is still verifying whether all of the alleged 12GB of data was leaked through the company. However, it acknowledges that batches of information shown in screenshots from the report were hacked from the platform three years ago using a security loophole. JD.com said it has reported the case to Beijing police.

"The reason that this is surfacing three years later is that hackers typically maximize data utility before selling it off," says Tan Jianfeng, founder of cybersecurity company People2000, referring to "crashing bases," a practice in which cybercriminals attempt to crack accounts across platforms by trying the same leaked user name and passwords. "It's also possible that JD.com's competitors had a hand in this," he said.

"The question now is whether JD.com actively took sufficient measures to notify users of their risk," said Goodwell, one of the earliest cybersecurity experts in China. "Security issues are hard to avoid today. A company must ensure loopholes get closed, no exceptions.

"It's possible that JD.com downplayed the severity of the matter at the time to avoid panic."

JD.com has been plagued by similar data leaks in recent years. In 2015, JD.com users lost millions of yuan due to information leaks, which were revealed a year later to be the result of three employees stealing more than 9,000 pieces of user information.

The security vulnerabilities cited by JD.com were part of Strut 2, an open source web development project led by the Apache Software Foundation. The flaws resulted in mass information leaks and Web-page tamperings that affected JD.com as well as other major websites, including Taobao, the State Grid and some state-owned banks.

The only way to fortify accounts is by frequently reset passwords and use different personal identification numbers for each platform, said Chen Liang, head of Open Web Application Security Platform, a global information security organization in Beijing.

Chen said he is puzzled by the scale of the leaks, with possibly hundreds of thousands of pieces of information. "With the major online platforms clamping down on user security, massive leaks are now rare," he said.

Contact reporter April Ma (fangjingma@caixin.com)

You've accessed an article available only to subscribers
VIEW OPTIONS
Share this article
Open WeChat and scan the QR code
GALLERY