A disturbing new development to Tokopedia’s massive user data leak has been reported, with a cyber security firm finding evidence that 91 million users’ private information were put up online over the weekend.
In May, a data breach monitoring service reported that a hacker obtained the private data of 91 million Tokopedia users, containing their personal information, emails, and password hashes, and was selling it on the Darknet for US$5,000.
Yesterday, cyber security firm Communication and Information System Security Research Center (CISSReC) said someone — not necessarily the original hacker — who had gotten hold of the sensitive data uploaded it to a web forum on Friday, available for users to download for 8 forum credits. Anyone can purchase 30 forum credits for EUR8 (IDR130K or US$9).
“We saw the data of 91,174,216 users containing their full names, account names, emails, online shops, dates of birth, phone numbers, date of registration, as well as encrypted hash data,” CISSReC Chairman Pratama Persadha said in a public statement, adding that the data amounted to 25.8 GB in size.
As of Sunday morning, CISSReC said the file was downloaded by 58 users, but it was deleted from the forum in the afternoon.
Tokopedia asserted that the data is encrypted, making it difficult for anyone to access even if it has evidently been leaked.
“We have reported this to the police and we are warning all those involved to delete all data that was procured against the law,” Tokopedia Corporate Communications VP Nuraini Razak said.
But CISSReC believes the leaked data makes the 91 million users even more susceptible to phishing and scam.
“And through their emails and phone numbers culprits can send targeted content in order to provoke. This is surely dangerous,” Pramata said.
He added that the incident calls for Indonesia to strengthen its cyber and data protection laws in order to pressure both state and private firms to take private data protection seriously.