Indonesia’s Tokopedia User Data Hacked, Sold, and Shared on Facebook

JAKARTA, KOMPAS.com – Indonesian tech giant Tokopedia has fallen victim to a massive data leak in which 91 million of its user data were stolen, sold for $5,000, and shared in a Facebook group.

Tokopedia has clarified that users’ password information is safe as it is encrypted.

However, Tokopedia’s stolen user data encompassed information on people’s emails, full name, and mobile numbers.

Read also: Gojek Cuts 430 Jobs As Indonesian Economy Slows Down Due to Covid-19

The company has stated that it has approached the situation in a transparent manner with its users. Tokopedia has also filed a police report on the hacking incident.

“We underline that this is not an attempt to steal new data and that Tokopedia users’ passwords remain protected through encryption. We have additionally reported the incident to the police. We remind all parties to erase all information that facilitates access to data obtained through unlawful means,” said Tokopedia Vice President of Communications Nuraini Razak on July 6.

The Indonesian tech giant is also coordinating with the government and other relevant authorities in the case.

“We have also guided our users of the next step to take in ensuring the privacy of their personal data is secured,” said Nuraini.

Data discovery

Tokopedia's stolen user data leak was discovered by the Communication and Information System Security Research Center on July 4.

The research center found a link containing 91 million Tokopedia user data shared on a Facebook group.

The institution suspected that it was a data leak given that the personal information was available for download free of charge.

Read also: Gojek to Integrate PayPal with the Indonesian Ride-Hailing Giant’s App

Furthermore, Chairman of the Communication and Information System Security Research Center Pratama Persadha said that the link was first shared on July 3 on a public forum called Raidsforum.

The link originated from an account with a registered username of @Cellibis. The user stipulated that the data was obtained for $5,000.

Although password information was not leaked, Tokopedia's stolen user data consisting of e-mail addresses, names, and mobile numbers are enough to put the user at risk of a criminal act.

Read also: The Joke is on the Indonesian National Police

Pratama explained that cybercrimes such as phishing or scams use a person’s e-mail or phone number to blackmail the victim for their password information.

Phone numbers can easily be used for cybercrimes that are serious and far-reaching such as to spread hoax information.

Pratama went on to explain that a cybercriminal can conduct profiling judging from an individual’s name, e-mail address, and valid mobile number.

Read also: Look, Indonesia’s State Intelligence Agency Joins Social Media Fray

“With the e-mail and mobile number information, the culprit can send targeted information such as to incite provocation. These types of activities can be very dangerous,” said Pratama.

Indonesia does not have laws that regulate the cyberworld nor protect user data.

Pratama believes that without such a legal framework, no pressure is given to those who operate electronic systems, be it state-owned or private companies, to create the best system and maintenance in protecting user data. 

(Writer: Conney Stephanie, Elsa Catriana | Editor: Oik Yusuf, Sakina Rakhma Diah Setiawan) 

Source: https://tekno.kompas.com/read/2020/07/06/08020027/e-mail-dan-nomor-ponsel-pengguna-tokopedia-beredar-di-medsos-ini-bahayanya

https://money.kompas.com/read/2020/07/06/142632626/tokopedia-laporkan-oknum-yang-jual-91-juta-data-pelanggannya-ke-polisi