[BreachExchange] Hacker leaks 15 million records from Tokopedia, Indonesia's largest online store

Destry Winant destry at riskbasedsecurity.com
Mon May 4 10:21:43 EDT 2020


https://www.zdnet.com/article/hacker-leaks-15-million-records-from-tokopedia-indonesias-largest-online-store/

A hacker has leaked on Friday the details of 15 million users
registered on Tokopedia, Indonesia's largest online store.

The hacker claims the data was obtained in an intrusion that took
place in March 2020 and is just a small part of the site's entire user
database that was obtained in the hack.

The leaker said he was sharing the 15 million users sample in the
hopes someone could help crack the user passwords, so they could be
used to access user accounts.

ZDNet has obtained a copy of the leaked file with the help of data
breach monitoring service Under the Breach.

The file was a PostgreSQL database dump, containing user information
such as full names, emails, phone numbers, hashed passwords, dates of
birth, and Tokopedia profile-related details (account creation date,
last login, email activation codes, password reset codes, location
details, messenger IDs, hobbies, education, about-me fields, and lots
more).

ZDNet has verified the authenticity of the leaked data against the
official Tokopedia website.

An email containing a request for comment sent to Tokopedia returned
an error message, but the company has told Under The Breach in a
private online conversation that they are investigating the incident.

The Total Economic Impact of IBM Sterling Order Management

A Forrester case study The growing demand for omnichannel fulfillment
is forcing businesses to deliver customer promises. A modern
omnichannel order management system that can manage inventory and
orders across channels is a key investment for...

White Papers provided by IBM

For the time being, Tokopedia users are advised to reset their account
passwords.

The hashed passwords that the hacker wasn't able to crack were secured
with the SHA2-384 hashing algorithm, currently considered to be
secure, although not infallible.

The hacker also said the database didn't contain the "salt" random
strings used to improve the security of the SHA2-384 hashing function.
Without the salt strings, cracking the passwords would be a more
time-consuming task, giving users enough time to change passwords in
the coming days.

Tokopedia has raised a total of $2.4 billion in funding over nine
rounds, and is currently one of Indonesia's biggest tech unicorns.

The website is similar to Amazon, allowing users to buy products from
the site or set up stores and sell products themselves. The site is
currently ranked in the Alexa Top 200 most popular sites on the
internet, and it claims to have more than 90 million monthly active
users and more than 7 million registered merchants.

Updated on Sunday, May 3, to add that the hacker is now selling
Tokopedia's entire user database on the Empire dark web marketplace.
The hacker claims they're in possession of 91 million user accounts.


More information about the BreachExchange mailing list