JD 2013 Data Breach

JD.com Chinese E-Commerce Platform Breach (2013): 141 Million User Accounts Including Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Web Application ExploitRetailEmail AddressPasswordPhone NumberUsername
Low SeverityWebsite / service breach

JD.com Chinese E-Commerce Platform Breach (2013): 141 Million User Accounts Including Passwords Exposed

Chinese e-commerce company.

Verified by ObscureIQ Intelligence
23/100Breach Risk Index
5Data Value
25Market Recency
519dSince Breach

Breach Intelligence Summary

Entity: JD · Actor: Unknown · Sources: 4 references
Attack: Web Application Exploit
Profile: Platform · E-commerce retail and logistics · Direct sales + marketplace platform · China / Global
Timeline: Breach (2013-01-01) · Indexed (Feb 04, 2025) · Year (2013)
Exposure: 141.6M records · 4 fields: Email Address, Password, Phone Number, Username
Status: Confirmed

Executive Summary

A JD.com breach dating to 2013 exposed roughly 141.6 million accounts (about 77 million unique email addresses), with the data surfacing for trade in 2016. Exposed data included email addresses, usernames, phone numbers, and passwords stored as SHA-1 hashes. JD.com attributed the compromise to an Apache Struts 2 vulnerability.

ObscureIQ assessment: High risk of fraud, phishing, and account takeover. Large datasets enable mass targeting and behavioral profiling.

Breach Impact

The pairing of phone numbers with email and crackable SHA-1 credentials at massive scale supports credential stuffing, SMS phishing, and large-scale account-takeover attempts against Chinese consumers.

About JD

JD.com (Jingdong) is one of China’s largest e-commerce companies, operating a major online retail and logistics platform serving hundreds of millions of customers.

Why They Hold Your Data

Large-scale e-commerce platforms collect customer identity, contact data, payment information, order history, and logistics records across integrated retail ecosystems.

Recent Developments

JD.com apologized in 2016 when data traced to the incident began circulating. The company attributed the breach to a vulnerability in the Apache Struts 2 framework.

Data Points Exposed

4 verified field types
Email Address
Password Critical
Phone Number
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the JD breach?

A JD.com breach dating to 2013 exposed roughly 141.6 million accounts (about 77 million unique email addresses), with the data surfacing for trade in 2016. Exposed data included email addresses, usernames, phone numbers, and passwords stored as SHA-1 hashes. JD.com attributed the compromise to an…

What data was exposed?

Verified fields include Email Address, Password, Phone Number, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
BreachForums_Official_Index
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation