Indonesian e-commerce giant Tokopedia suffered a massive data breach after hackers leaked over 15 million user records, data breach monitoring firm Under the Breach reported. It was also discovered that threat actors kept the details of 91 million users up for sale on the Darknet for $5,000. According to Under the Breach, the leaked records contained names, emails, password hashes, and other personal information.
“I’ve decided to share with you, part of March 2020, Tokopedia dump, Hashes contained have an unknown algorithm, and I’m looking for someone who can crack them. I acquired a copy of the dump however it didn’t contain the possible Salt, needed to crack the hashes. I will share 15 million out of much more, just google Tokopedia to see,” the hackers said in a post.
Tokopedia’s spokesperson, Nuraini Razak, also confirmed the breach and claimed that the company had ensured the security of its users’ information. While Tokopedia is investigating the incident, Razak clarified that users’ financial details like credit/debit card numbers and e-wallet information were not affected in the breach. She also advised the users to change their passwords to prevent further damage.
“We have detected an attempt to steal data belonging to Tokopedia users. However, we have made sure that our users’ personal information, such as passwords, remain protected,” Razak said in a media statement.
“Although passwords and other crucial user data remain encrypted, we still encourage Tokopedia users to change their passwords periodically to ensure their safety and security,” the statement added.
The popularity of the e-commerce industry and an exponential increase in online shopping in recent times have led to the problem of online payment frauds. Recently, Indonesian Police and Interpol arrested three men who belong to Magecart hacking group for their involvement in Magecart attacks. The police officials stated that it’s the first arrest of Magecart gang members.
The suspects, identified by initials ANF (27 years), K (35 years), and N (23 years), were accused of injecting JavaScript sniffers into websites to capture information entered by the site visitors. It’s said that the suspects allegedly used the stolen payment card data to purchase electronic and luxury goods.