Chinese e-commerce giant JD has apologized for a user data leak in an official announcement on Sunday. The data leak exposed millions of users’ user names, passwords, email addresses, QQ accounts, ID numbers, and phone numbers.

JD claims that the leak actually took place in 2013. They attribute it to a security loophole in Apache Struts 2, an open-source web application framework used widely by Internet companies and governments.

%e5%b1%8f%e5%b9%95%e5%bf%ab%e7%85%a7-2016-12-12-%e4%b8%8b%e5%8d%8812-21-06

Leaked Database (via Yiben Caijing)

JD claims to have notified at-risk customers to update their accounts after detecting and closing the security holes.

Most of the affected users have updated their accounts, according to the announcement. However, the firm acknowledges risks remain for a small portion of users who haven’t updated their account.

The company is urging users to set more complicated passwords to make them harder to crack and changing those passwords regularly. They have already enlisted the help of the authorities.

On Saturday, Huxiu (report in Chinese) reported a 12 GB data package was being sold for between 100k to 700k RMB (14k to 100k RMB). Peddlers were claiming that the data came from JD.

The report cited an insider as saying the package had already been resold several times and was controlled by “. . . at least one hundred scammers.” The insider added that it is still unclear why data from 2013 is now being sold.

This is not the first time the NASDAQ-listed company has had a problem with data leaks. One year ago, more than 100 users filed a collective lawsuit against JD for leaking information and banking fraud.

Image Credit: JD