A hacker is selling a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000. Other threat actors have already started to crack passwords and share them online.
Tokopedia is Indonesia's largest online store, with 4,700 employees and over 90 million active users.
This weekend, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million Tokopedia users on an online hacker forum.
To access this data, forum users would need to spend eight site 'credits', which costs approximately €2.13.
The hacker claims that this data was a small subset of a more substantial 91 million user dump stolen from Tokopedia during a March 2020 hack.
Soon after the smaller subset was released on the hacker forum, the same hacker began selling the full 91 million user database on an online criminal marketplace for as little $5,000. At the time of this writing, the database has been sold two times.
From a sample of the leaked data shared with BleepingComputer by Under the Breach, the dump was for a PostgreSQL database that contains many fields for personal user data, but only a small subset actually contain information.
The most serious of the exposed data consists of a user's email address, full name, birth date, and hashed user passwords. Some of the exposed accounts also have their mobile device's Mobile Station International Subscriber Directory Number (MSISDN) listed.
In a statement, VP of Corporate Communications Tokopedia, Nuraini Razak has told BleepingComputer that they are currently conducting an investigation into do the data leak and are enhancing the security of their systems.
"Tokopedia is working closely with several strategic partners, including the Ministry of Communication and Information Technology RI and National Cyber and Crypto Agency, to conduct a thorough investigation, while enhancing the security system in order to maintain user confidence.
We would like to emphasize once again that Tokopedia is a business of trust. Therefore, the security of our users' data is Tokopedia's utmost priority."
Hackers start to offer dehashed passwords
Under the Breach has told BleepingComputer that threat actors have already started to share over 200,000 user names and their associated dehashed, or cracked, passwords on hacking forums.
These dehashed accounts are being shared for free to use who simply reply to the forum topic or who have upgraded accounts on the forum.
Cybersecurity intelligence firm Cyble has also told BleepingCompter that they are aware of threat actors who claim to be selling a list of millions of Tokopedia usernames and their associated dehashed, or cracked, passwords for just $8,000.
Cyble believes the database has been privately circulating since April, and now that it is publicly leaked, the threat actor decided to sell their dehashed account list before others release it.
BleepingComputer has not been able to independently confirm if these are legitimate dehashed accounts or if the threat actor is trying to pull a money grab scam.
Cyble has stated that they acquired the Tokopedia database and users can check if their account has been exposed via Cyble's data breach monitoring platform amibreached.com.
All Tokopedia users should make the assumption that if their passwords is not dehashed already, it may be in the future, and should immediately change their password to a unique one only used at that site.
For any other site that the same password was used, it should be changed to a unique one there as well.
Finally, all users who were exposed by this data breach should be on the lookout for targeted phishing attacks that utilize the information from this data dump.
Update 5/4/20: Added statement from Tokopedia
Comments
Yundar - 4 years ago
Tokopedia is doing system maintenance, hopefully all will be safe and no victims will be harmed. In the covid pandemic - 19 era there were still bad people who committed crimes in the cyber world. I am sad to see this information.. Thank u, regard from Indonesia..