Tokopedia, one of Indonesia's largest e-commerce marketplaces, has reportedly suffered a security breach, with personal details of its entire database of 91m users stolen and put up for sale on the dark web by hackers.
Cybercrime and data breach monitoring company Under the Breach reported the Tokopedia data sale in an updated post on Twitter on Sunday. It also advised users to change their passwords at once for Tokopedia and other services if they had reused the same password.
Tokopedia's VP of Corporate Communications Nuraini Razak acknowledged that there was an "attempt to steal Tokopedia user information," and the company is investigating the breach. She said in a written response to CompassList that passwords and other crucial information are protected under encryption, and that payment information was not leaked. However, Tokopedia urged customers to change their passwords “periodically.”
“Tokopedia also implements multiple layers of security, including OTP (one-time password) that can only be accessed in real time by the account owner," Razak wrote, referring to a multi-factor authentication method commonly used to secure accounts. "We always educate our users to never give their OTP to anyone for whatever reason.”
Under the Breach had first tweeted about the Tokopedia breach the day before. It said a user of RaidForums, a forum for the hacking community, had posted about having gained access to Tokopedia's database in March 2020 and shared a data dump of records of 15m users that is part of a bigger one.
Technology news site ZDNet reported that the data includes sensitive information such as full names, hashed (encrypted) passwords, dates of birth, phone numbers and email addresses. ZDNet also verified data from the initial 15m leak against Tokopedia’s website, noting that SHA2-384, the algorithm used to encrypt the passwords, is secure but “not infallible.”
Unicorns with flawed security
Founded in 2009 by William Tanuwijaya and Leontinus Alpha Edison, Tokopedia is one of Indonesia’s largest e-commerce sites and among the country’s first unicorns. The company has more than 90m monthly active users and 7.8m merchants on their platform. The company has raised a total of $2.4bn since its founding in 2009, from investors like Softbank, the Alibaba Group, Sequoia Capital India and East Ventures.
Tokopedia has also partnerships with other Indonesian startups, such as KoinWorks, to provide services such as loans for merchants and gold savings for customers. It is unknown whether data related to these services was also compromised.
Tokopedia becomes the second Indonesian unicorn to be hit with a security breach. In March 2019, competitor Bukalapak confirmed that there was an attempted breach, but denied that sensitive information was exposed. However, a Bukalapak blog post dated April 2019 said the company had discovered unauthorized access to their backup server, which contained user data from 2017.
Bukalapak said it had reset the passwords on all impacted accounts, transferred their cold storage backups to safer locations, and required users to add two-factor authentication. It added it had hired an independent cybersecurity expert to help improve the platform's security.
The Bukalapak leak was part of a series of data exposures by a hacker named “Gnosticplayers,” who sold the data through a dark web marketplace. "I got upset because I feel no one is learning," Gnosticplayers told ZDNet in March 2019. The hacker found that many companies did not protect their passwords with strong encryption algorithms, allowing bad actors to decrypt and reveal the passwords.
