back to article Alibaba security fail: Brute-force bonanza yields 21m logins

Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to stolen credentials reused on breached third-party sites. TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales. Reuters reports that China's Ministry of Public …

  1. Pascal Monett Silver badge
    Trollface

    Great start to the year

    Not even mid-February and we already have the counter pegged beyond 20 million account details slurped.

    Way to go to reach 100 million before the end of the year. Who says 100 million before July ?

    Anyone ?

  2. Anonymous Coward
    Anonymous Coward

    We need more info as...

    "Ducklin says the attack serves as a warning for web site owners to apply login rate limiters"

    As they say, if they are processing millions of logins a day, if you use a bot net, each trying 5 or 6 different logins every now and again, it's never going to get flagged.

    Heck I've done that on websites I've known I have an account on, but have no clue what user name or password I used, usually because of some stupid policy some idiot dreamed up on the back of a fag packet.

    1. Joe Montana

      Re: We need more info as...

      Chances are they, like most places, implemented lockouts on an individual account basis. So because the attackers only ever tried one password per username, nothing was ever detected.

  3. YetAnotherLocksmith

    2 factor?

    2 factor gets trotted out all the time, but how? The cheapest imaginable device is free, on a user's phone for example, but the cost of 99% of users not installing the app and not using your site/store is still too high.

    And sending a 2 factor device would cost millions at least, for 99 million users.

    2FA isn't the answer in 99% of use cases.

    1. Dan 55 Silver badge

      Re: 2 factor?

      It's either that or storing a certificate on the client.

    2. SolidSquid

      Re: 2 factor?

      It's a way of offsetting liability. If the company recommends 2FA and you don't use it, well they of course can't be held liable for any breaches if you haven't done as they recommended

    3. Ian Emery Silver badge

      Re: 2 factor?

      They now do 2 factor, a "Captcha" style challenge after entering your user name and password; I wondered why they started doing this at the end of November.

      1. david 12 Bronze badge

        Re: 2 factor?

        >They now do 2 factor

        Or, as Alex Papadimoulis of The Daily WTF memorably called it in 2007, "Wish-it -was 2-factor security"

        Real 2F security is "something that the user knows, something that the user possesses or something that is inseparable from the user"

  4. Winkypop Silver badge
    Devil

    So, we need to know

    How many passwords were: OpenSesame ?

    1. BebopWeBop Silver badge
      Happy

      Re: So, we need to know

      No Genie

  5. Anonymous Coward
    Anonymous Coward

    I guess they need one of those are you a human captcha for their login.

  6. Anonymous Coward
    Anonymous Coward

    Another arms race...

    Various mechanisms exist to transparently profile and if necessary validate the client end (agent strings, resolution, input rate and profile, connection origin - residential vs data centre) to assess whether it's a human or a computer but as ever the bad guys are able to move a lot quicker than the good guys and associated malicious activity such ad-fraud has refined the malware industry in making bots act more human. Definitely not an easy problem to address never mind at scale.

  7. smartypants

    This will never be fixed?

    Use a different password on each site? Hard*.

    Use a difficult-to-crack password? Hard*.

    Keep all your eggs in different baskets? Hard*.

    Use 2FA? Hard*.

    Check email origins to ensure a non-malicious sender? Hard*

    Other 'solutions'? Hard*

    *Clearly not all hard for the people here, but hard enough that few IT people do all of them all the time, and hard enough that your average punter will glaze over immediately. My dad barely knows what a password is, yet most people online today have the same (low) interest in techy stuff and just want to read about stuff and buy stuff online.

    So why have we built a world where the security measures are hard for the average person to deal with? Things are really broken and the bad people are having a field day.

    I don't know what the answer is..., but rolling our eyes as the data-exploit-of-the-day is announced isn't going to help. How do we build a secure digital world that ordinary people can use without risk?

    1. breakfast
      Boffin

      Re: This will never be fixed?

      The accepted wisdom is that security is hard, and just once in a while wisdom is accepted because it is true rather than simply because it is easy. The problem is that in general you want to offer people the simplest thing that can possibly work, but that either relies on human factors ( such as users being able to choose a good password, which is tricky because users are humans ) or mechanical factors ( such as locking an account to a single machine with a specific certificate on it which become problematic when the user loses access to the exact mechanical configuration they were using or needs to access the service from another system or location.)

      There are good ideas around but it doesn't seem as though anybody has really got to the heart of this problem yet and a lot of very smart people on the usability and security sides have been working on it for a long time.

    2. C Montgomery Burns

      Re: This will never be fixed?

      "So why have we built a world where the security measures are hard for the average person to deal with? Things are really broken and the bad people are having a field day."

      I think the problem is one of perception. People aren't placing a high enough mental value on their digital accounts. Nobody needs to remind anyone to lock their door or car, because the loss would be immediate and tangible. Yet few complain of the hassle of carrying around a set of keys.

      Realistically, it might take identify theft, money theft, or some other personal disaster for most to take their online accounts more seriously.

  8. Dan 54

    Is it that really that hard for users?

    You can use a password vault like lastpass to store a different password for every site you use. It can generate them for you containing a mix of lower and upper case, numbers, special characters. You can use it on any device. You then protect this with two factor authentication. Preferably with something like duo that provides out of band push notifications to your phone and even better use this with Touch ID if your phone has it.

  9. Anonymous Coward
    Anonymous Coward

    Now, has anyone got a copy of that database? Would be interesting to check against...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019