[BreachExchange] Filipino credit app Cashalo suffers data breach

[Destry Winant]

https://portswigger.net/daily-swig/filipino-credit-app-cashalo-suffers-data-breach

A data breach at a Filipino credit company has exposed customers’
sensitive personal details.

Cashalo, a fintech company offering cash loans and other financial
services to customers in the Philippines, confirmed that “illegal
access” of a database has resulted in the leak of some personally
identifiable information.

Exposed details include the names, email addresses, phone numbers,
device IDs, and passwords of customers.

Cashalo stressed that passwords were encrypted and said that no
accounts were compromised as a result of the data breach.

It isn’t yet clear how many customers were affected by the incident.

Unauthorized access

The unauthorized access was discovered on February 18 during routine
“proactive monitoring”, said Cashalo.

A statement reads: “We immediately took the system offline, commenced
investigations, self-reported it to the Philippines’ National Privacy
Commission, and took a number of steps to review and enhance our
security measures.”

Customers affected by the incident will be notified directly either
via email or in-app message, Cashalo said.

“As a precaution, we encourage customers to change their password,”
the company advised.

“Please also continue to be on the alert for spam emails requesting
personal or other sensitive information, as well as any unusual
activity.

“Cashalo does not request customers to give their password information
over email or phone.”

The Daily Swig has reached out to Cashalo for further information and
will update this article accordingly.