Indonesia’s largest e-commerce platform Tokopedia was the target of a hack, data breach monitoring firm Under the Breach said on its Twitter account on Saturday. The personal data, including email addresses, full names, mobile phone numbers, usernames, genders, locations, and hashed passwords of approximately 91 million users and merchants has been sold on the dark web, according to the firm.
Under the Breach showed a screenshot first published on the Raid Forum. A user or group going by the name of “Whysodank” said that it was selling data of 15 million users in March 2020.
The day after, Whysodank claimed to have the data of 91 million Tokopedia users, which it put upfor sale on a dark web forum called Empire Market.
Responding to the issue, Tokopedia admitted that it discovered an attempt to steal data from its servers, but said that the passwords are still protected and that no payment data was leaked. However, the company said users should change their passwords.
“Tokopedia ensures that there is no payment data leak. All transactions using different payment methods, including debit card, credit card, and Ovo remain secure,” said Nuraini Razak, vice president of corporate communications.
Minister calls for investigation
Meanwhile, the Ministry of Communication and Information Technology said it will look into the matter. “I will ask the director general of application telematics to have a meeting with Tokopedia regarding the data breach,” minister Johnny G Plate said in a press statement on Sunday.
Plate asked Tokopedia to secure their system to avoid further security breaches. The company should also inform the account users whose personal data was exploited. Tokopedia needs to administer an internal investigation to find the cause of the incident, according to the minister.