99 Million Brute Force Attemps on Alibaba Yields 21 Million Accounts
-
Brute force often still works, especially when your security team isn't paying attention. It only took ninety nine million tries to find the right password to get into China's Amazon competitor's system and gain access to twenty one million user's account details.
-
Hah, is that it?
-
They might want to think about outsourcing their security.
-
@scottalanmiller but they're the best in the world [/sarcasm]
-
Alibaba says its systems were not breached and adds that it has reminded users not to reuse passwords.
Supposedly only accounts were breached, no Alibaba itself.
-
Seems like they should have noticed that degree of attack traffic, but reading how it happened it doesn't seem as bad as it sounds. It was 21 million individuals having common username/password combinations and it was their individual accounts being compromised, so the 99 million hits would have only been so noticeable in the general volume of traffic.
The number only seems extreme given the lack of knowledge as to how large their normal traffic is.
-
Isn't this the same thing that happened to Apple a few years ago?
-
@Dashrender said:
Isn't this the same thing that happened to Apple a few years ago?
Yes, very similar.
-
By slowly attacking the system, trying to keep their brute force attempts under the radar, at just 1,000 logins per hour, It'd take them a little less than 2 weeks to process 99 million logins like that. You have to figure out whether or not they have any brute forcing detection built in, and then what the thresholds are... That's not an unimaginably long time for hackers to poke and prod.
What is scary is the ~20% success ratio.
-
@dafyre said:
What is scary is the ~20% success ratio.
Alibaba does not target the most technological demographics.
-
@scottalanmiller said:
@dafyre said:
What is scary is the ~20% success ratio.
Alibaba does not target the most technological demographics.
And Apple does?
-
@Dashrender said:
@scottalanmiller said:
@dafyre said:
What is scary is the ~20% success ratio.
Alibaba does not target the most technological demographics.
And Apple does?
Far moreso. Alibaba targets only shoppers willing to use a horrible website (ever looked at it?) and can't access Amazon. So think about that target demographic.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@dafyre said:
What is scary is the ~20% success ratio.
Alibaba does not target the most technological demographics.
And Apple does?
Far moreso. Alibaba targets only shoppers willing to use a horrible website (ever looked at it?) and can't access Amazon. So think about that target demographic.
Yes I have, I've purchased magnets from there before.
-
Seems like maybe they should have noticed, but does not seem like the breach or issue was really all that big.
Lots of fake reviews, probably not the biggest deal.
