What happened
According to public breach records, the JD data breach on January 1, 2013 is reported to have exposed the personal information of 77,449,341 accounts.
In 2013 (exact date unknown), the Chinese e-commerce service JD suffered a data breach that exposed 13GB of data containing 77 million unique email addresses. The data also included usernames, phone numbers and passwords stored as SHA-1 hashes.
Passwords in this breach were reportedly stored as SHA-1 hashes.
In 2013, the Chinese e-commerce company JD (Jingdong / JD.com) suffered a breach that exposed roughly 13GB of data covering about 77.4 million unique accounts, including email addresses, usernames, phone numbers, and passwords stored as weak SHA-1 hashes. The company attributed the intrusion to a security loophole in the Apache Struts 2 web framework. The leak surfaced publicly in December 2016 when a ~12GB data package allegedly from JD was reported to be circulating for sale on the dark web, prompting JD to issue an official apology on December 11, 2016 and notify at-risk customers to update their accounts. ["Change your JD password immediately and replace it anywhere you reused it — the leaked passwords were stored as SHA-1, a weak hash that is feasible to crack.", "Turn on two-factor authentication on JD and any account that shared the same password, so a cracked credential alone can't grant access.", "Treat unexpected emails, calls, and texts referencing your accounts as likely phishing, since both your email address and phone number were exposed and can be used to target you.", "Use a password manager to set a unique, strong password per site, ending any password reuse that this exposure could chain into other accounts."]
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
- Phone numbers
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | JD |
| Date | January 1, 2013 |
| Accounts affected | 77,449,341 |
| Domain | jd.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by JD; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your JD password immediately and replace it anywhere you reused it — the leaked passwords were stored as SHA-1, a weak hash that is feasible to crack.
- Turn on two-factor authentication on JD and any account that shared the same password, so a cracked credential alone can't grant access.
- Treat unexpected emails, calls, and texts referencing your accounts as likely phishing, since both your email address and phone number were exposed and can be used to target you.
- Use a password manager to set a unique, strong password per site, ending any password reuse that this exposure could chain into other accounts.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: JD Data Breach
- Ecommerce Giant JD Apologizes for Leak Exposing User Data — TechNode
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →