Tokopedia User Data Leaks: How Dangerous And How To Protect Them

JAKARTA - Tens of millions of data on users of Indonesia's largest e-commerce site, Tokopedia, were leaked. This certainly threatens the security of user data including hacking of their financial access. Even worse, the hacking of data can spread to other marketplace accounts and social media.

Initially, the Twitter account for monitoring service provider @underthebreach reported that around 91 million user accounts and 7 million Tokopedia merchant accounts were hacked. That number is exactly the same as the data report on the number of Tokopedia users 2019. This means that almost all of the marketplace account data was hacked.

Actor leaked the database of Tokopedia - a large Indonesian technology company specializing in e-commerce. (@ Tokopedia) - Hack occurred in March 2020 and affected 15,000,000 users though the hacker said there are many more.- Database contains emails, password hashes, names pic.twitter.com/CZTYImj6jA

- Under the Breach 🦠 (underthebreach) May 2, 2020

The hackers sell the data on the darkweb which contains the full name, email, phone number, hash password (which is still encrypted), date of birth, and details regarding the Tokopedia profile according to ZDNet who has obtained a copy of the data. All are sold at a price of 5,000 US dollars, or around Rp74 million.

Cybersecurity expert Pratama Persadha explained that the hacker named Whysodank first published his work in the forum yesterday, Saturday, May 2. Then the ShinyHunters Hacker uploaded the 91 million sales on a darkweb forum called Empire Market. From there then the Twitter account @underthebreach got the source.

Threatening Other Accounts

Even though the password data is still encrypted, the Head of the Indonesian Cyber Research Institute, CISSReC Pratama Persadha, said that it is only a matter of time before someone can open it.

"That is why the perpetrators want to share several million free accounts to create some kind of a play who managed to decode the random passwords," he told reporters.

Pratama explained that all hackers can use the data to commit fraud such as sending phishing links. From there the hackers can then take over the account.

Even worse, if the password is successfully opened, hackers can creep into social media accounts and other marketplaces. "Because there is a habit of using the same password for all platforms," Pramata said.

Therefore, Pratama said, Tokopedia must be responsible for this incident. The reason is that the security of user data has been threatened even to the point of being traded.

From the data that was successfully hacked, there is no financial data such as credit or debit cards. Hopefully this data will not be hacked successfully.

To solve this problem, Tokopedia is obliged to socialize what its users must do. Some things that need to be done are to change the Tokopedia account password, and activate the second layer of security, namely OTP or One Time Password.

OTP is a password that can validate activities that users perform on that account. How it works OTP sends a password via SMS. The code is then inputted back into the account concerned to continue certain activities including shopping.