Indonesia’s largest e-commerce platform says it’s investigating a possible data breach in which hackers claim to have stolen data about 91 million customers.
Tokopedia, which is backed by $2 billion in funding from investors including SoftBank and Alibaba, told Reuters Saturday it was investigating an alleged theft of user data, though it maintained that user passwords were still encrypted.
Indonesia’s Minister of Communication and Information Technology, Johnny G. Plate, on Sunday urged Tokopedia to “immediately improve its security system to prevent a further breach in data.” The government also has summoned the board of directors to clarify the current state of the investigation in a meeting Monday.
The statement followed a series of tweets from Under the Breach, a data breach monitoring service, including screenshots, apparently from a vendor on a cybercriminal forum, advertising 15 million names, email addresses and hashed passwords. The same account then marketed 91 million records for $5,000 on the dark web, according to another tweet from Under the Breach.
UPDATE: same actor is now selling the full database with allegedly 91,000,000 records for $5,000 on the Darknet.
This is really bad, make sure you change your passwords for other services in case you are re-using passwords. pic.twitter.com/bGOnAhmQ7e
— Under the Breach 🦠 (@underthebreach) May 2, 2020
A number of Twitter users apparently from Indonesia replied to the Under the Breach tweet claiming their own email credentials had been compromised. By entering their own email addresses in the Have I Been Pwned database, which scours dark web marketplaces for stolen email credentials, Tokopedia users determined they were affected by the incident.
By press time Monday, Have I Been Pwned determined that the reported 15 million credentials included roughly 12 million unique email addresses, names, genders, birth dates and hashed passwords. Rather than being included in accessible plain text, the passwords are stored as SHA2-384 hashes. An attacker trying to crack the passwords would need to break the encryption protocol protecting them.
A Tokopedia spokesman told Reuters “all transactions with all payment methods at Tokopedia…remain secure.”
Tokopedia entered international consciousness in 2018 when it entered SoftBank’s Vision Fund, a global consortium of wealth which includes money from the Saudi Arabian government. It’s the same investment fund that once propelled WeWork’s value to $47 billion before the real estate company scrapped an initial public offering amid investors’ scrutiny.
Tokopedia claimed to serve 93% of the population of Indonesia, the fourth-most populated country in the world, TechCrunch reported in 2018.