Hackers are always on the move to find weaknesses in systems, exploit them, and see what they can extract when breaching the defenses of their targets.
And here, a hacker managed to hack Tokopedia, Indonesia' largest e-commerce store, and leaked the details of 15 million of its registered users.
The hacker claims that the data was obtained in an intrusion that took place back in March 2020, and is only a small part of the site's entire user database that was obtained in the hack.
The purpose for sharing only 15 million user, is because the passwords were hashed with the SHA2-384 hashing algorithm, which is considered to be secure. What's more, the hacker also said that the database didn't contain the "salt" random strings, making cracking the passwords a bit more time-consuming.
But that doesn't mean everything is foolproof. Cracking the passwords could be difficult, but possible. This is why the hacker shared the sample so other fellow hackers can help crack them.
Once cracked, hackers can sell the database for a lot more money, or use the credentials for a whole nefarious deeds, including email scams, extortion, identity theft-related scams and others.
In response to the incident, Nuraini Razak, Tokopedia's vice president of corporate communication, said in the statement:
"We always try to maintain the confidentiality of user data because Tokopedia's business is a business of trust. User data security is Tokopedia's top priority."
Because cracking the passwords can take a while, compromised Tokopedia users should have the time they need to change their password.
"Although the user's passwords and other crucial information are still protected behind encryption, we encourage Tokopedia users to keep changing their account passwords regularly for security and convenience," Nuraini said, as she encouraged Tokopedia users to take the necessary precaution.
ZDNet that got itself a copy of the PostgreSQL database dump with the help of data breach monitoring service Under the Breach, said that it contains user information such as:
Full names, emails, phone numbers, gender, hashed passwords, dates of birth, and Tokopedia profile-related details (account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and more).
ZDNet managed to verify the authenticity of the leaked data against the official Tokopedia website.
Since its inception in 2009, Tokopedia has raised billions of dollars from funding with backers that included the Chinese e-commerce giant Alibaba and Japan's multinational holding company Softbank.
This makes it one of the largest unicorn in Indonesia, coming second to only the 'decacorn' super-app Gojek.
With more than 7 million merchants on its platform, Tokopedia services more than 90 million monthly active users, according to the company's statement.