Scam of the day – February 7, 2016 – 20 million accounts hacked on Alibaba’s Taobao shopping website

Alibaba is the biggest online shopping website in China and perhaps the world.  Hundreds of millions of people use its three main websites, which, of course, makes it a target for hackers. Recently, Alibaba revealed that 20.59 million accounts of Alibaba’s Taobao e-commerce shopping site were accessed by hackers.  The hacking was not due to a failure of the security of Alibaba, but rather, as I wrote about in the Scam of the day for February 3rd in which I discussed the hacking of online income tax preparer TaxAct, through the use of user names and passwords stolen from other websites. In the case of Taobao, the hackers used a  black market database of the user names and passwords of 99 million people and found that 20.59 million of the user names and passwords used on other hacked websites were also used on Taobao.  Alibaba said it managed to identify and block much of the unauthorized access to its customers accounts and Chinese law enforcement have already arrested twenty-five people in regard to the cyberattack.


Whether you are a user of Taobao or not, the lesson is clear that you should have unique user names and passwords for all of your online accounts.  It is not that difficult to do.   The failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  Passwords should be complex so they cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

In addition, whenever you can use dual factor authentication, you should take the opportunity to do so. With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account.  Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.