Around 15 million details of registered Tokopedia users has been leaked and published on a popular hacking forum.
On Friday, May 1, 2020, Indonesia’s largest online store was hacked, and the threat actor claims to have obtained the data in an incursion that happened in March 2020, and the data obtained is just a small part of the website’s user database.
The hacker also mentioned that the data of 15 million users was shared in anticipation of finding someone who could crack user passwords, which could further be used to access and navigate through user accounts.
As per an update on Sunday, May 3, 2020, the hacker was adding to the situation by selling Tokopedia’s entire user database on the Empire dark web marketplace.
Here are details from the leaked file that was obtained with the help of Under the Breach, a data breach monitoring service.
The leaked file was a PostgreSQL database dump, which included information such as full names of registered users, contact numbers, date of birth, hashed passwords, and details related to the Tokopedia profiles, such as account creation dates, email activation codes, last login details, information on personal interests, education, and a lot more.
Tokopedia also informed Under the Breach that it is investigating the incident. And as a temporary solution, all Tokopedia users have been advised to change their account passwords.
More about the breach
The hashed passwords played shield as they were protected with the SHA2-384 hashing algorithm that the threat actor was not able to crack. At this point, the algorithm is considered to be secure but not flawless.
The hacker further mentioned the database did not have “salt,” which are random strings that enhance the security quotient of SHA2-384 hashing function that leads to the severity in cracking passwords and simultaneously adds to the time required to crack passwords, which gives users more room and time to change their passwords.
More about Tokopedia
Very similar to Amazon, Tokopedia operates as an eCommerce platform that enables users to buy products from their website. The platform also allows users to set up online stores and sell products themselves. Tokopedia has successfully raised USD 2.4 billion funding and is known as Indonesia’s largest tech giant.
With over 90 million active monthly users and 7 million registered merchants, Tokopedia is currently ranked in the Alexa Top 200 most popular websites on the web.