Tokopedia, one of the largest e-commerce companies in Indonesia has been breached its million user accounts.
According to Tokopedia representative, the company itself is investigating a rumored breach to more than 15 million of its customer accounts.
“We found attempts to steal data from Tokopedia users, but Tokopedia ensured that important user information, such as passwords, remain protected,” Nuraini Razak, Tokopedia’s vice president of corporate communication, said in the statement.
She stated that company at present continue to investigate this case.
“We always try to maintain the confidentiality of user data because Tokopedia’s business is a business of trust. User data security is Tokopedia’s top priority,” Nuraini said.
The case was earlier reported by ZDNet, an American technology news website, saying a hacker leaked 15 million Tokopedia user accounts following an exploit in March.
“We found attempts to steal data from Tokopedia users, but Tokopedia ensured that important user information, such as passwords, remain protected,” Nuraini Razak, Tokopedia’s vice president of corporate communication, said.
The data that have been leaked contain emails, hashed passwords, and user names but did not contain a critical feature that would allow the hacker to crack the hashed password immediately, the report said.
That should give time to compromised Tokopedia users to change their password.
“Although the user’s passwords and other crucial information are still protected behind encryption, we encourage Tokopedia users to keep changing their account passwords regularly for security and convenience,” Nuraini noted.
In fact, the account Twitter @underthebreach said the hacker had sold the Tokopedia database of 91 million accounts for US$5,000 (Rp74.5 million) on the Darknet.
Following an alleged data breach experienced by Tokopedia, Cyber security expert from Vaksin.com, Alfons Tanujaya, said that the breached information were usernames, email addresses, date of births, and telephone numbers. “Nearly 100 percent of Tokopedia user accounts have been breached,” he said as quoted by Tempo, May 3, 2020.
Alfons reminded two possible threats that might occur to the account holders, namely phishing and brute force. “Exploitation of email data, cellphone numbers and other sensitive data such as birth dates are very vulnerable to be used for phishing, scam and telemarketing activities,” he said.
According to him, the brute force method is easily prevented. “Just give them time pendings, one mistaken password from the hacker means they get 10 minutes pending, twice means 20 minutes pending, three times means 40 minutes pending, and so on, so the hack will not work,” he explained.
Meanwhile, if phishing happens, the loss depends on the victim. “If the account holders were successfully deceived and not get an update, they could easily enter their credentials into fake sites,” he added.
All online services are targeted by hackers, like what Alfons said. However in Tokopedia case right now, according to him, is still relatively not too dangerous. “It’s still good to have a hash (encrypted) and has implemented TFA (Two Factor Authentication), so the user accounts are safe,” he said.
The same thing was conveyed by IT experts from Drone Emprit and Kernels Indonesia, Ismail Fahmi regarding the alleged burglary of 91 million user accounts for Tokopedia e-commerce. According to him, the IT system in Tokopedia is actually relatively safe.
“Tokopedia has OTP (One Time Password). So once every login, OTP will be sent via SMS or WhatsApp,” he said as quoted by CNBC Indonesia, Sunday, May 3, 2020.
However, the most important aspect is not about the password on the Tokopedia site for this case, according to Ismail, but rather the leaked personal data.
For information, Tokopedia has more than 7 million merchants on its platform, serving more than 90 million visitors every month, according to the company’s recent statement.
Meanwhile, the Communication and Informatics Minister Johnny G. Plate on Sunday urged the Indonesian e-commerce to guarantee the security of its users’ personal data.
“The first thing that needs to be done by Tokopedia is to immediately improve its security system to prevent a further breach in data,” said the minister in Sunday’s written release.
Johnny also called for Tokopedia to notify users that might have been exposed to the hackers and to conduct a thorough internal investigation on the incident to find out those responsible for exposing personal data at risk.
For the update, he also said that the ministry will soon receive the full report regarding the incident after it is completed by Tokopedia.
Moreover, Johnny reminded that e-commerce is required to adhere to the government’s standard on personal data protection standards overseen by the Government Regulation No.71 on electronic systems and transactions.
On Monday, May 4, Johnny stated that the government, along with the Indonesian House of Representative (DPR), continues to accelerate efforts in ratifying the Personal Data Protection Bill (RUU PDP).