Alibaba's database and dashboard for accessing and controlling data were both using outdated versions of the products, according to researchers.

According to people familiar with the matter, Alibaba's cloud division executives have been summoned by Shanghai authorities to appear before them in connection with the theft of a massive police database. This has heightened the urgency of Alibaba's internal investigation into how one of the largest data heists in history was allowed to occur.

Data on an estimated one billion Chinese residents were put up for sale online in late June for about $200,000, which sparked an inquiry. For more than a year, a dashboard for administering the database has been exposed to the public without a password, making it easy to steal and delete its contents.

Alibaba's cloud platform was found to be hosting the database, as determined through scans of the database. Employees at the company also confirmed the connection.

After an anonymous seller put an offer for the data and supplied a sample of it in a cybercrime forum, senior managers from Alibaba and its cloud unit met electronically to prepare an immediate response.

Alibaba Cloud Vice President Chen Xuesong, who was recently hired to manage the unit's digital public-security division, has been summoned to meet with the Shanghai authorities, sources say.

As soon as the theft was discovered, some employees familiar with Alibaba's response indicated that the company's engineers had temporarily banned all access to the compromised database and had begun analyzing related code. According to them, the cause of the breach has yet to be determined.

Alibaba's cloud was used to store the stolen data, according to two cybersecurity firms who spoke to The Wall Street Journal. They said the technology used was many years old and lacked fundamental security protections, which they found in a review of the database's metadata.

Samples provided by the seller lead experts to assume that the stolen data includes personal information such as names, government ID numbers, and phone numbers for most Chinese citizens, including kids. It's not unusual for databases to be left open, but cybersecurity experts were surprised to see this much critical information available for anybody to access.

The data breach has exposed the scale of China's digital monitoring infrastructure, as well as the difficulty the government has in keeping that data secure.

The dashboard for the stolen police database was discovered last week by cybersecurity researchers to be password-less. Neither Alibaba nor the Shanghai police has commented on this.

Two cybersecurity organizations that scan the web for insecure databases, LeakIX and SecurityDiscovery said the dashboard was passwordless and there wasn't an option to create one.

Alibaba's database and dashboard for accessing and controlling data were both using outdated versions of the products, according to researchers. Security measures like password protection were missing from those editions, according to the report, because an add-on was never installed.

However, because the dashboard was placed on a public internet server rather than the database's private server, it acted as an open door to the vault and allowed the data within it to be exported without restriction.

An updated security certificate, a unique digital identification needed to secure web traffic, was also missing from the database. This has become a regular practice. According to the researchers, Alibaba last issued a fresh license in September of 2017 and it expired a year later without being renewed.

According to Gregory Boddin, LeakIX's chief technical officer, using an expired certificate did not raise the database's vulnerability but indicated that upkeep had been neglected. For the past four years, he continued, "there was no maintenance whatsoever."