The Wall Street Journal reports that Alibaba’s Taobao shopping website was hit by a web crawler that collected users’ ID and mobile phone data for eight months, according to a Chinese court filing, and more than 1.1 billion pieces of user data were captured. Clement Chen, an assistant professor of law at the University of Hong Kong, noted that Chinese consumers predominantly use their mobile phones to sign up for most Internet services, thus cell phone data helps a bad actor identify their social media accounts and other PII. Taobao.com is ranked by web traffic statistics and analytics site Hypestat as the 8th most popular website worldwide, with 10 billion+ monthly visits.
<p>When organizations discover they have been breached, it is usually determined that the cyber criminals were accessing data for a significant length of time.</p> <p><br />Organizations should focus on protections if the cyber criminals are already in the network instead of reacting after the breach; especially as this relates to technology and processes in place to secure and protect sensitive information like names, email addresses and phone numbers. </p> <p><br />A software developer may have already had access to the website or via a third-party site, which is a common attack vector for cyber criminals to leverage the supply chain for the website to gain access.</p>
<p>Two things about this breach are concerning. First, 1.1 billion users is an ENORMOUS number! So many Chinese mobile phone numbers are now at risk of being used to commit vishing and texting schemes, as well as potential identity theft when paired with the user\’s real name identification. Second, the attacker had been collecting data for eight months before Alibaba noticed. Eight months is an eternity in cyber space, and accounts for the software developer\’s ability to gather that many mobile phone numbers. As always, cyber defenses should be deployed that are able discover anomalous activity in real-time and prevent attackers from compromising your data.</p>
<p>It\’s hard to say exactly how the scraping was done but it seems likely that the API was the route into the data and most probably a BOLA (Broken Object Level Authorization) vulnerability was exploited to access it. Recent <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUXsW-2Ff9nBaXELW3V-2FKbqk78Qsny7r7w1ith-2FNlAyxhC569c1_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLmjhb2836-2BBeKREsTo80daEr3-2Bk-2F9y0kgPX-2FW8HkF0tzd6WZNZMFW-2BzMffTPHRQWZmz9zLu77dgxu8TxAxdKYadbV-2FEKx-2B8vwyJ7H1OZiYEpdRPxy6rrebWYgLMlPWJzaV5APQPEdb-2F3rxBH01oCtd7EAmwZ1QA3TSh7sQ0xbl5ZjcQqfAGxIN3EpoRuUgah58KYqvnVnTggTwK56c3t4piLJ8IUDGTzJzOgMKXibXxGxbtpvIneKSmGon4vWUrrI\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUXsW-2Ff9nBaXELW3V-2FKbqk78Qsny7r7w1ith-2FNlAyxhC569c1_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLmjhb2836-2BBeKREsTo80daEr3-2Bk-2F9y0kgPX-2FW8HkF0tzd6WZNZMFW-2BzMffTPHRQWZmz9zLu77dgxu8TxAxdKYadbV-2FEKx-2B8vwyJ7H1OZiYEpdRPxy6rrebWYgLMlPWJzaV5APQPEdb-2F3rxBH01oCtd7EAmwZ1QA3TSh7sQ0xbl5ZjcQqfAGxIN3EpoRuUgah58KYqvnVnTggTwK56c3t4piLJ8IUDGTzJzOgMKXibXxGxbtpvIneKSmGon4vWUrrI&source=gmail&ust=1624012038354000&usg=AFQjCNGrzWHB4cP0WkZRJLTsKHBXTmrPdQ\">security research into mHeath apps and APIs</a> disclosed similar issues. The key lesson is understanding the importance of ensuring that the user getting the data is really authorized to do so. Vulnerabilities like this are hard to track down, and while enterprises are doing so it is good practice to shield APIs so that scripts intent on data scraping – or worse – are blocked.</p>