Millions of Alibaba-owned marketplace users exposed


Millions of users’ phone numbers, home addresses, and other personal information have been revealed on Taobao, an online shopping platform owned by Chinese tech giant Alibaba.

Recent market reports show that only half of consumers trust e-commerce platforms. The latest research from the Cybernews research team proves that user trust issues are not entirely unfounded.

According to the team, millions of users of Taobao, one of the world’s most visited websites, were likely exposed after researchers discovered an unprotected Elasticsearch cluster with publicly accessible user data.

“The origin of the data suggests that it may have been obtained from Taobao's servers illegally, possibly through web crawling or other unauthorized means,” our researchers surmised.

The now-closed cluster held a whopping 11.1 million records, with each record most likely representing one Taobao user. The exposed details include names, phone numbers, and home addresses.

Our researchers noted that the cluster was titled “Taobao” and contained information that was almost certainly related to Taobao users. However, the team could not independently verify the findings. According to Taobao, the company’s analysis did not indicate any data leaks.

“Data privacy and security is of utmost importance to Taobao. Based on our analysis of the sample data provided by Cybernews, there is no data leak identified on our platforms,” the company said.

Taobao sample
Sample of the leaked data. Image by Cybernews.

Dangers of the Taobao leak

The team’s findings are not the first time that Taobao’s users have been exposed. Back in 2020, 1.1 billion of the platform’s users had their details illegally obtained by a marketing consultant who employed web scraping software.

“Our findings could indicate that attackers store a massive dataset for a quick search prior to a planned attack campaign,” researchers said.

The team explains that leaking the data of millions of users endangers individuals whose information was exposed. Threat actors could utilize the exposed information for identity theft, phishing attacks, or other fraudulent activities.

Additionally, personal information like names, phone numbers, and addresses can be leveraged for various malicious purposes, including identity fraud and spamming.

“This incident aligns with previous data breaches affecting e-commerce companies, highlighting the persistent need for robust cybersecurity measures to protect consumer privacy and trust in the digital marketplace,” our researchers said.

The team advised businesses dealing with large volumes of data to implement authentication and authorization mechanisms and configure firewall rules to only allow traffic from trusted sources, such as specific IP addresses or ranges, to access the Elasticsearch cluster.

Taobao is among China’s largest e-commerce platforms, with 895 million active Taobao app users in September of 2023 alone. In 2022, the Office of the United States Trade Representative added Taobao to its list of Notorious Markets for Counterfeiting and Piracy.