A hacker is selling a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000. Other threat actors have already started to crack passwords and share them online.
Tokopedia is Indonesia’s largest online store, with 4,700 employees and over 90 million active users.
This weekend, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million Tokopedia users on an online hacker forum.
To access this data, forum users would need to spend eight site ‘credits’, which costs approximately €2.13.
The hacker claims that this data was a small subset of a more substantial 91 million user dump stolen from Tokopedia during a March 2020 hack.
Soon after the smaller subset was released on the hacker forum, the same hacker began selling the full 91 million user database on an online criminal marketplace for as little $5,000. At the time of this writing, the database has been sold two times.
From a sample of the leaked data shared with BleepingComputer by Under the Breach, the dump was for a PostgreSQL database that contains many fields for personal user data, but only a small subset actually contain information.
The most serious of the exposed data consists of a user’s email address, full name, birth date, and hashed user passwords. Some of the exposed accounts also have their mobile device’s Mobile Station International Subscriber Directory Number (MSISDN) listed.
While Tokopedia has not made an official announcement about this breach, Tokopedia has told Under the Breach that they are investigating the situation.
Reuters was also told by the online retailer that they detected an attempt to steal data from the company.
“We found that there had been an attempt to steal data from Tokopedia users,” a spokesman told Reuters.
BleepingComputer has contacted Tokopedia but has not received a response as of yet.
Hackers start to offer dehashed passwords
Under the Breach has told BleepingComputer that threat actors have already started to share over 200,000 user names and their associated dehashed, or cracked, passwords on hacking forums.
These dehashed accounts are being shared for free to use who simply reply to the forum topic or who have upgraded accounts on the forum.
Cybersecurity intelligence firm Cyble has also told BleepingCompter that they are aware of threat actors who claim to be selling a list of millions of Tokopedia usernames and their associated dehashed, or cracked, passwords for just $8,000.
Cyble believes the database has been privately circulating since April, and now that it is publicly leaked, the threat actor decided to sell their dehashed account list before others release it.
BleepingComputer has not been able to independently confirm if these are legitimate dehashed accounts or if the threat actor is trying to pull a money grab scam.
Cyble has stated that they acquired the Tokopedia database and users can check if their account has been exposed via Cyble’s data breach monitoring platform amibreached.com.
All Tokopedia users should make the assumption that if their passwords is not dehashed already, it may be in the future, and should immediately change their password to a unique one only used at that site.
For any other site that the same password was used, it should be changed to a unique one there as well.
Finally, all users who were exposed by this data breach should be on the lookout for targeted phishing attacks that utilize the information from this data dump.