Data Breach MobileAlipay admits single user was victim of a data leak, but would not say whether others who have encountered same problem are affected

The country’s largest online payment service by number of users has said a customer who found his account was linked to e-commerce websites without his knowledge was the victim of data leak, but did not comment when other users found similar problems with their Alipay accounts.

The Alipay user stated on Sina Weibo, the Chinese version of Twitter, on October 8 that he was going through the settings for his account and discovered that it had been authorized to make payments to five websites even though he never gave his permission.  The user of Alipay said he was never notified the links had been established, and he feared he would be responsible for purchases he did not make.

An Alipay source who declined to be named described the issue as “a design flaw,” and Alipay said on Weibo on October 10 that a leak of the user’s personal information was to blame for the problem. Other Alipay users have said in online comments that checks of their accounts showed that they too had been authorized to make payments to websites without them knowing. Alipay has not said whether these users were the victims of data leaks. Many users said that later checks showed that the links had been removed from their accounts. However, some said they had to contact Alipay to do this because they could not remove them on their own.

The Alipay employee said that the team responsible for designing the company’s website had been notified of the problem and would fix it. The team had thought about requiring users to verify such links, but chose to skip the step to help the user experience, the employee said.

Alipay is China’s most popular online payment tool. As of 2013, it had 300 million users who registered their real names with the company. The company was criticized for an incident in May that saw its service stop working for more than two hours.

The central bank has repeatedly chastised Ant Financial Services Group and its competitors for too often trading security for the convenience of users. The company has been told to put some of its new services – such as e-credit cards and payments made by the scanning of codes – on hold because they failed to meet its security standards. The regulator is worried because it fears that scammers can use flawed payment systems to commit fraud on a large scale.

Source:  Caixin.com