Homegrown e-commerce unicorn Tokopedia has had its internal database breached by an as-yet unidentified party, resulting in a massive data leak that has affected millions of its users, according to a recent report by cybersecurity research collective Under the Breach.
The group wrote on its official Twitter page @underthebreach that the hack occurred in March and affected personal information belonging to more than 15 million users.
The full database – which reportedly includes 91 million records consisting of email addresses, password hashes (an encrypted form of users’ passwords) and names of Tokopedia users – has now been put up for sale on the dark web for US$5,000 by a member of data-exchange platform Raid Forums, the group said.
Actor leaked the database of Tokopedia - a large Indonesian technology company specializing in e-commerce.— Under the Breach 🦠 (@underthebreach) May 2, 2020
- Hack occurred in March 2020 and affects 15,000,000 users though the hacker said there are many more.
- Database contains emails, password hashes, names pic.twitter.com/CZTYImj6jA
Tokopedia spokesperson Nuraini Razak confirmed that a breach had taken place but claimed the company had ensured the security of its users’ personal data.
“We have detected an attempt to steal data belonging to Tokopedia users. However, we have made sure that our users’ personal information, such as passwords, remain protected,” Nuraini said in a statement on Saturday.
Nevertheless, she urged Tokopedia users to change their passwords to prevent data thieves from misusing their accounts despite the platform’s encryption measures.
“Although passwords and other crucial user data remain encrypted, we still encourage Tokopedia users to change their passwords periodically to ensure their safety and security,” Nuraini said.
Data related to payment methods stored on Tokopedia, such as credit cards, debit cards and e-wallet information, was not affected by the breach, she said, adding that the company was investigating the breach.