A group of hackers tried to access active accounts belonging to more than 20 million users of Taobao, Alibaba Group Holding Ltd.'s e-commerce unit.
The attackers used a database that contained the usernames and passwords of 99 million accounts from multiple popular websites, and then used AliCloud, Alibaba's cloud computing service, to enter the login credentials.
The attackers correctly assumed that many user accounts contain the same username and password information on different websites, according to Reuters.
The attack “highlights a common practice in cyber-attacks and a common misstep in users managing their passwords – using the same password across multiple services,” wrote Yishai Beeri, CloudLock director of cybersecurity research, in an email to SCMagazine.com.
A company representative told the Wall Street Journal the suspects have been arrested.
The company faced security flaws in the past. In December 2014, researchers discovered a major vulnerability that allowed attackers to change order details and access the personal and banking information of Alibaba customers. In December 2015, phishing attacks from spoofed Alibaba email addresses were used to trick Alibaba's customers into verifying their account information.