Tokopedia Data was Reportedly being Hacked and Sold for IDR 73 Million
Share
Tokopedia e-commerce platform user data was reportedly hacked and sold through a dark site (dark web) for US $ 5,000 or around IDR 73.4 million (exchange rate of IDR 14,600 per US $). The data sold are 91 million Tokopedia records that have been hacked.
The news was revealed and spread Twitter account @underthebreach on Saturday (2/5). The account also includes screenshots about the sale of data by hackers. “This is very bad, make sure you change the password for other services if you reuse the password (in other services),” the account said.
Hackers are also said to have 15 million Tokopedia user accounts in raw (hashed) data. Even so, hackers still cannot solve the hash algorithm. In the screenshot that was shared by @underthebreach, it was seen that the hacker was looking for someone who was able to solve the hash algorithm through a forum.
It is alleged that the hash hack contains a database related to email, password hashes, and Tokopedia usernames. “Hacking occurred in March 2020 and affected 15 million user accounts, although hackers said there were more (accounts),” the owner of @underthebreach said.
Related to this, this account also urges Tokopedia account owners to immediately change their keywords before re-accessing them.
The Chronology of Tokopedia’s Data Leakage
The complete chronology of the Tokopedia account’s breakdown began when the Whysodank hacker first published the hacking results on the Raid Forum on Saturday (2/5). The hacking occurred on March 20, 2020.
Then, the @underthebreach account at 4:15 p.m. WIB tweeted about hacking and claimed to be a surveillance and prevention service for data leakage from Israel. This tweet was delivered while poking Tokopedia’s official account.
In screenshots shared on social media it is said that hackers still have to solve algorithms to unlock the hashes of the user’s passwords. The hacker also asked for help from other hackers to unlock the algorithm.
In the next screenshot, this information leaking account includes a portion of user accounts that can be opened via the site. The user’s name, email, and telephone number appear on the site.
“Someone leaked the Tokopedia database, a large technology company from Indonesia that runs Ecommerce,” the account said.
“Hacking was carried out in March 2020 and affected 15 million users, although hackers said there were many more. The database (which was hacked) included e-mail, password hashes, names,” he continued.
User Data Is Still Encrypted
Cybersecurity expert Pratama Persadha said the data for the Tokopedia account password was still encrypted, but it was only a matter of time until someone could open it.
That’s why the perpetrators want to do a free share of several million accounts to make a kind of play to find someone who can crack the password.
According to Pratama, even though the password is still in random form, but other data are already open or plain. This means that all hackers can use this data to commit fraud and take over accounts on the internet.
For example sending phishing links or other social engineering efforts, because of that Tokopedia should update and inform all users immediately.
“If the password is successfully opened by the perpetrators, surely one of the things that will be done is account takeover. Then the perpetrators will randomly try to take over social media accounts and other marketplaces because there is a habit of using the same password for all platforms,” Pratama explained.
Primary underlines what Tokopedia users can do is change passwords and activate OTP (one-time-password) via SMS. Then change all the passwords from the social media account and the marketplace platform besides Tokopedia.
The issue of hacking has also been experienced by Bukalapak e-commerce in March 2019. A total of 13 million Bukalapak user accounts were hacked by a hacker under the pseudonym Gnosticplayers. The Pakistani hacker claimed to have stolen data from Bukalapak users and several other well-known sites. However, Bukalapak has denied the claim.