Personal information of 91 million users of Tokopedia, an Indonesian technology company specializing in e-commerce, are being sold on the Darknet for $5,000, which were stolen in a hack attempt by an unknown hacker.
“We found that there had been an attempt to steal data from Tokopedia users. However, Tokopedia ensures that crucial information such as passwords remains successfully protected behind encryption,” a spokesman for the company said in a statement late Saturday.
“At this moment, we continue to investigate further into this matter and there is no additional information that we can share,” the statement added.
Under the Breach, a data breach monitoring and cybersecurity intelligence firm was the first to tweet about the Tokopedia user data leakage.
Actor leaked the database of Tokopedia – a large Indonesian technology company specializing in e-commerce.
– Hack occurred in March 2020 and affects 15,000,000 users though the hacker said there are many more.
– Database contains emails, password hashes, names pic.twitter.com/CZTYImj6jA
— Under the Breach ? (@underthebreach) May 2, 2020
The hacker claims to have hacked the company in March 2020 and only a small portion of a more substantial 91 million user dump was stolen in the hack. The hacker distributed 15 million user samples on an online hacker forum in the hope that someone could help break through the user’s password secured with the SHA2-384 hashing algorithm so that it could be used to access the account.
The hacker also said the database didn’t contain the “salt” random strings used to improve the security of the SHA2-384 hashing function, which means that cracking the passwords would be a more time-consuming task.
With the help of data breach monitoring firm Under the Breach, ZDNet publication obtained a copy of the leaked file.
According to ZDNet, the dump is a PostgreSQL database containing user information such as username, full name, gender, email address, phone numbers, hashed password, date of birth, location and Tokopedia profile-related details (account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and much more).
ZDNet verified the authenticity of the leaked data.
Tokopedia itself has acknowledged the existence of an attempt to steal 15 million user data. However, the e-commerce company did not explain how many were affected and whether data of users were leaked.
Currently, Tokopedia is investigating the security breach and has notified the users to change their passwords to enable two-factor authentication. The company also confirmed that the user’s credit card, debit, and Ovo data were not affected in the hack and are secure.
At the time of this writing, the hacker has sold Tokopedia’s database to at least 2 buyers, of which one has confirmed the authenticity of the leaked data.