China’s Pinduoduo Reports Theft Worth Millions of Yuan

Hackers took advantage of a loophole in online group discounter Pinduoduo Inc.’s platform to steal tens of millions of yuan worth of vouchers, the company said Sunday.

The bug has been fixed and the company has reported the incident to police, Pinduoduo said in a statement on its official Weibo account. The police in Shanghai started a cyber fraud investigation, freezing related vouchers.

The breach occurred late Saturday night when users found they could get a free 100 yuan ($14.75) voucher that could be applied to any item on the platform. Within hours, a large number of vouchers were redeemed, some of which were used to prepay phone bills and other virtual services, the company said.

Rumors soon circulated on social media that Pinduoduo could have lost 20 billion yuan ($2.95 billion) from the scheme. But the company denied that speculation and put its actual loss at less than 10 million yuan ($1.48 million).

The breach raised questions about the risk controls of the three-year-old e-commerce platform. The company denied any systemic security loopholes, saying that criminals exploited a loophole in the platform’s operating rules. It didn’t specify what the loophole was.

Based on currently available information, Pinduoduo’s multiple operating sections seem to have problems, said Fu Liang, an independent technology analyst. When a well-above-average number of orders flooded the system in the middle of the night, it should have triggered an alarm, Fu said.

In another statement Monday morning, Pinduoduo said the incident took place during the pre-Chinese New Year sales season, when a large number of coupons are normally issued and used.

E-commerce platforms should run fault tolerance tests when designing promotional programs to ensure the discounts actually benefit their target consumers, Fu said. Pinduoduo is too young and doesn’t have enough operating experience to prevent such breaches, Fu said.

The voucher was designed exclusively for a dating show, meaning it was never supposed to be available to broader users. However, hackers spread an illegally obtained QR code for the voucher on social media to lure more general users to exploit it, the company said.

Once exploiters redeem the vouchers and use them to buy virtual coins, they can resell their virtual coins and pocket the profits within minutes, Fu said, making it hard for Pinduoduo to trace down the originators.

Pinduoduo said the platform won’t hold general consumers involved accountable for the incident, but it didn’t say how it would deal with the redeemed vouchers.

Pinduoduo mainly sells cheaper generic products, from toilet paper to fruits, mainly to lower-income shoppers in smaller cities. It allows users to group together to get better discounts.

The fast-growing company made a strong debut on the Nasdaq last July, following a $1.63 billion initial public offering that was one of the biggest flotations by a Chinese company in the U.S. in 2018. But the stock has gone on a choppy ride amid reports that it was selling counterfeit goods.

The company reported its net loss widened five-fold to 1.1 billion yuan in the third quarter.

Pinduoduo’s Nasdaq-traded stock dodged an immediate hit Monday because the U.S. stock market is closed in observance of Martin Luther King Jr. Day. The stock closed at $24.99 last Friday, up 31.5% from the IPO price.