Indonesia’s largest online store, Tokopedia was compromised and data of 15 million users has been leaked. The hacker claimed that the data was obtained in an intrusion that took place in March 2020 and it includes just a small portion of the site’s entire user database.
The hacker shared these user data thinking that someone could help crack the user passwords, so they could be used to access user accounts.
The database dump includes user details such as full names, emails, phone numbers, hashed passwords, dates of birth, and Tokopedia profile-related details (account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and lots more).
Tokopedia stated that they are investigating the incident. All the users are recommended to reset their account passwords.
The hashed passwords are secured with the SHA2-384 hashing algorithm which is considered to be very secure.
The hacker said that the database did not contain the “salt” random strings which is used to improve the security of the SHA2-384 hashing function. Without the salt, it is even more difficult to crack the passwords and meanwhile the users get enough time to change their passwords.
Tokopedia which has raised a total of $2.4 billion in funding is ranked in the Alexa Top 200 most popular sites and is currently one of Indonesia’s biggest online store.
The site which is similar to Amazon has than 90 million monthly active users and more than 7 million registered merchants.