A hacker is selling a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000. Other threat actors have already started to crack passwords and share them online.

Tokopedia is an Indonesian technology company specializing in e-commerce. Founded in 2006; the company has become a giant with more than 91 million registered users/customers and over 7 million merchants.

According to hackread.com the company has suffered a massive breach and personal data of users is at risk. This data includes:

  • Gender
  • Location
  • Username
  • Full name
  • Email address
  • Phone numbers
  • Hashed password

The data breach monitoring firm Under the Breach who is familiar with the incident has confirmed that the database being traded online contains authentic data belonging to Tokopedia and includes data till March 2020.

To access this data, forum users would need to spend eight site ‘credits’, which costs approximately €2.13.

The hacker claims that this data was a small subset of a more substantial 91 million user dump stolen from Tokopedia during a March 2020 hack.

From a sample of the leaked data shared with BleepingComputer by Under the Breach, the dump was for a PostgreSQL database that contains many fields for personal user data, but only a small subset actually contain information.

Buy Me A Coffee

The most serious of the exposed data consists of a user’s email address, full name, birth date, and hashed user passwords. Some of the exposed accounts also have their mobile device’s Mobile Station International Subscriber Directory Number (MSISDN) listed.

Zoom Fortifies Video Meetings with Quantum-Resistant Encryption

While Tokopedia has not made an official announcement about this breach, Tokopedia has told Under the Breach that they are investigating the situation.

Reuters was also told by the online retailer that they detected an attempt to steal data from the company.

“We found that there had been an attempt to steal data from Tokopedia users,” a spokesman told Reuters.