Tokopedia Indonesia Hacked! 15 million records leaked from Indonesia’s largest online store

A hacker has leaked on Friday the details of 15 million users registered on Tokopedia, Indonesia’s largest online store.

The hacker claims the data was obtained in an intrusion that took place in March 2020 and is just small part of the site’s entire user database that was obtained in the hack.

The leaker said he was sharing the 15 million users sample in the hopes someone could help crack the user passwords, so they could be used to access user accounts.

ZDNet has obtained a copy of the leaked file with the help of data breach monitoring service Under the Breach.

The file was a PostgreSQL database dump, containing user information such as full names, emails, phone numbers, hashed passwords, dates of birth, and Tokopedia profile-related details (account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and lots more).

ZDNet has verified the authenticity of the leaked data against the official Tokopedia website.

An email containing a request for comment sent to Tokopedia returned an error message, but the company has told Under The Breach in a private online conversation that they are investigating the incident.

For the time being, Tokopedia users are advised to reset their account passwords.

The hashed passwords that the hacker wasn’t able to crack were secured with the SHA2-384 hashing algorithm, currently considered to be secure, although not infallible.

The hacker also said the database didn’t contain the “salt” random strings used to improve the security of the SHA2-384 hashing function. Without the salt strings, cracking the passwords would be more time-consuming task, giving users enough time to change passwords in the coming days.

Tokopedia has raised a total of $2.4 billion in funding over nine rounds, and is currently one of Indonesia’s biggest tech unicorns.

The website is similar to Amazon, allowing users to buy products from the site or set up stores and sell products themselves. The site is currently ranked in the Alexa Top 200 most popular sites on the internet, and it claims to have more than 90 million monthly active users and more than 7 million registered merchants.

Updated on Sunday, May 3, to add that the hacker is now selling Tokopedia’s entire user database on the Empire dark web marketplace. The hacker claims they’re in possession of 91 million user accounts.