A spokesman for the company said the attack was detected "in the first instance," allowing it to alert users to change their passwords. He added that the company worked closely with an investigation launched by police.
"Alibaba`s system was never breached," the company spokesman said.
The hackers plugged in a database full of 99 million usernames and passwords into the Taobao website - using Alibaba`s cloud computing platform - to discover if some of the login credentials matched, in which 20.59 million accounts checked out.
The cyberattack began in mid-October and was discovered by Alibaba in November. The ministry said the hackers were in police custody.
Attacks against Chinese companies have increased significantly in the past year, with cyber security experts saying they lack the defenses needed to fend off sophisticated assaults.
"Cybercrime remains a growth industry," Europol said in its 2015 report.
"The Crime-as-a-Service (CaaS) business model, which grants easy access to criminal products and services, enables a broad base of unskilled, entry-level cybercriminals to launch attacks of a scale and scope disproportionate to their technical capability and asymmetric in terms of risks, costs and profits," Europol added.
More about:
