Asian e-commerce giant Tokopedia is investigating a potentially major data breach after researchers revealed that 91 million user records are up for sale on the dark web.
Breach monitoring service Under the Breach posted screenshots over the weekend that revealed a malicious actor selling records of 15 million users apparently stemming from a March 2020 incident.
According to the post, the database contained emails, password hashes, names and “much more things.” The user said they acquired a copy of the data dump but that crucially it didn’t include the salt needed to crack the hashes.
Unfortunately, the same actor was subsequently found to be selling a much larger data trove containing a purported 91 million records for just $5000. There appears to have been at least two buyers over the weekend.
“This is really bad, make sure you change your passwords for other services in case you are re-using passwords,” advised Under the Breach.
According to reports, Tokopedia is investigating the incident and reiterated in the meantime that passwords are safe.
Backed by the SoftBank Vision Fund and Chinese web giant Alibaba, the Indonesian e-commerce player is said to be looking to raise $1bn or more in pre-IPO funding ahead of plans to go public in the next three years.
The firm claims to have over 90 million monthly active users and more than seven million merchants signed-up to its Amazon-like platform.
“We have detected an attempt to steal data belonging to Tokopedia users. However, we have made sure that our users’ personal information, such as passwords, remain protected,” the company said in a statement to local media.
“Although passwords and other crucial user data remain encrypted, we still encourage Tokopedia users to change their passwords periodically to ensure their safety and security.”