Cyber Incident Victim: Cermati.com
Date:
Oct 2020
Location:
Indonesia
Summary
A threat actor advertised stolen user databases from seventeen companies, including Cermati.com, for sale on a hacker forum, aggregating approximately 34 million records. The broker claimed no direct involvement in the breaches but offered data containing emails, bcrypt-hashed passwords, addresses, and tax identifiers from the company. This incident formed part of a broader campaign impacting multiple organizations, with compromised credentials ranging from weakly hashed MD5 to more secure bcrypt algorithms. While some affected entities acknowledged breaches, others had not publicly confirmed the incidents at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of aggregated stolen user databases from seventeen companies on a hacker forum, totaling approximately 34 million compromised records. The actor functioned as a data breach broker rather than the original attacker, facilitating the sale of datasets obtained from third-party breaches. Among the affected entities was Indonesian financial services platform Cermati.com, whose exposed data included user emails, bcrypt-hashed passwords, physical addresses, and tax identification numbers. The broker provided detailed inventories of compromised data types for each company, with other significantly impacted organizations including Geekie.com.br (8.1 million records), Clip.mx (4.7 million), Wongnai.com (4.3 million), and RedMart. While RedMart publicly acknowledged the breach, most listed companies including Cermati.com had not issued formal disclosures at the time of reporting. The datasets contained varying combinations of personally identifiable information alongside password hashes protected with diverse cryptographic algorithms, ranging from relatively weak MD5 to more robust bcrypt and PBKDF2-SHA256 implementations.
The incident exposed users across multiple platforms to credential stuffing attacks and identity theft due to the inclusion of both authentication credentials and sensitive personal data. Financial risks were particularly acute for RedMart users, whose compromised records included credit card details alongside addresses and phone numbers. For Cermati.com customers, the exposure of tax numbers alongside contact information and physical addresses elevated risks of financial fraud and phishing campaigns. The broker indicated these databases were being marketed through private sales channels prior to potential public release, following established patterns in underground data trafficking where initial exclusive access commands higher prices before broader dissemination. No containment measures or forensic findings from Cermati.com were documented in available reports, though security professionals emphasized the critical importance of password resets and credential rotation given the volume of reused credentials typically observed in such breaches. The aggregated scale of 34 million records across geographically diverse platforms underscored the persistent threat of credential-based attacks stemming from historical data breaches.