Advertisement

Indonesian e-commerce giant probes reported breach of 91 million credentials

The government summoned the board of directors to clarify the current state of the investigation in a meeting Monday.
tokopedia breach
Tokopedia claimed to serve 93% of the population of Indonesia.

Indonesia’s largest e-commerce platform says it’s investigating a possible data breach in which hackers claim to have stolen data about 91 million customers.

Tokopedia, which is backed by $2 billion in funding from investors including SoftBank and Alibaba, told Reuters Saturday it was investigating an alleged theft of user data, though it maintained that user passwords were still encrypted.

Indonesia’s Minister of Communication and Information Technology, Johnny G. Plate, on Sunday urged Tokopedia to “immediately improve its security system to prevent a further breach in data.” The government also has summoned the board of directors to clarify the current state of the investigation in a meeting Monday.

The statement followed a series of tweets from Under the Breach, a data breach monitoring service, including screenshots, apparently from a vendor on a cybercriminal forum, advertising 15 million names, email addresses and hashed passwords. The same account then marketed 91 million records for $5,000 on the dark web, according to another tweet from Under the Breach.

Advertisement

https://twitter.com/underthebreach/status/1256686160304357382

A number of Twitter users apparently from Indonesia replied to the Under the Breach tweet claiming their own email credentials had been compromised. By entering their own email addresses in the Have I Been Pwned database, which scours dark web marketplaces for stolen email credentials, Tokopedia users determined they were affected by the incident.

By press time Monday, Have I Been Pwned determined that the reported 15 million credentials included roughly 12 million unique email addresses, names, genders, birth dates and hashed passwords. Rather than being included in accessible plain text, the passwords are stored as SHA2-384 hashes. An attacker trying to crack the passwords would need to break the encryption protocol protecting them.

A Tokopedia spokesman told Reuters “all transactions with all payment methods at Tokopedia…remain secure.”

Tokopedia entered international consciousness in 2018 when it entered SoftBank’s Vision Fund, a global consortium of wealth which includes money from the Saudi Arabian government. It’s the same investment fund that once propelled WeWork’s value to $47 billion before the real estate company scrapped an initial public offering amid investors’ scrutiny.

Advertisement

Tokopedia claimed to serve 93% of the population of Indonesia, the fourth-most populated country in the world, TechCrunch reported in 2018.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts