Tokopedia Assures Payment Information Secure as All User Accounts Likely Compromised

Jakarta. A unanimous hacker has offered a database containing personal information and hashed passwords of virtually all of Tokopedia users on the dark web, hours after the same actor leaked a part of the database on Saturday. 

The database allegedly contained 91 million users data at one of Indonesia's largest e-commerce companies. Tokopedia's statement in January showed more than 90 active users access the website every month. 

For comparison, Indonesia now has 175 million internet users, according to the latest report from We Are Social, a global marketing agency's report. 

One can buy the complete database for $5,000, while the first part is up for grab just for a couple of US dollars. The leaked database is up to date to last month. 

Nuraini Razak, the vice president of communication at Tokopedia, said on Sunday that the company was still investigating the leak, but assured that customer's sensitive financial data remained secure. 

"All transactions using all payment methods, including debit card, credit card, and OVO information, in Tokopedia, remain secure," Nuraini said in a statement on Sunday.

Under the Breach, a data breach monitoring service said that Tokopedia's users should change the password and detach their bank account from the platform. 

UPDATE: same actor is now selling the full database with allegedly 91,000,000 records for $5,000 on the Darknet.

This is really bad, make sure you change your passwords for other services in case you are re-using passwords. pic.twitter.com/bGOnAhmQ7e

— Under the Breach (@UnderTheBreach) May 2, 2020

While the user's password in the database still safe behind encryption, experts warned scammers would exploit leaked personal data for scam or phishing purposes.

Nuraini said users should reset their password and keep doing so regularly. Also, she told the users should refuse to give their secure one-time-password (OTP) to anyone to avoid a further breach of their Tokopedia accounts. 

Indonesia's first unicorn has a list of investors that include venture capital company East Ventures, Chinese e-commerce giant Alibaba Group, and Japanese conglomerate Softbank. 

Tokopedia's alleged data breach was the largest in the country after its local rival Bukalapak reported similar attempts on their customer's database last year. 

Tokopedia is currently a dominant player in Indonesia's growing e-commerce market, which is expected to rise to 82 billion by 2025, up from$21 billion last year, according to a recent report by Google, Temasek, and Bain & Company.