Cyber Incident Victim: Tokopedia
Date:
Mar 2020
Location:
Indonesia
Summary
A hacker stole and sold a database containing 91 million user accounts from Indonesia's largest online marketplace, initially offering a subset of 15 million records before selling the full dataset for $5,000. The compromised information included email addresses, full names, birth dates, hashed passwords, and some mobile device identifiers. Threat actors subsequently cracked and publicly shared over 200,000 passwords, while others offered millions of dehashed credentials for $8,000. The platform acknowledged the breach and collaborated with national cybersecurity agencies to investigate while strengthening system security. Exposed users faced credential reuse risks and potential phishing attacks leveraging the stolen personal data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2020, Tokopedia, Indonesia’s largest online marketplace with over 90 million active users, suffered a data breach involving unauthorized access to user account information. By early May 2020, a hacker advertised a subset of 15 million Tokopedia user records for sale on a dark web forum, requiring approximately €2.13 in forum credits for access. The seller claimed this subset originated from a larger database of 91 million user accounts stolen during the March incident. Shortly after listing the partial data, the same actor offered the complete database for $5,000 on a criminal marketplace, where it had been sold twice by May 3, 2020. Analysis of a leaked sample by cybersecurity firm Under the Breach revealed the data originated from a PostgreSQL database containing fields for extensive personal information, though only a limited subset contained populated records. Exposed data included user email addresses, full names, birth dates, and hashed passwords, with some entries also listing mobile device MSISDN numbers. Tokopedia’s Vice President of Corporate Communications, Nuraini Razak, confirmed the company was investigating the leak and collaborating with Indonesia’s Ministry of Communication and Information Technology and National Cyber and Crypto Agency to enhance system security.
Following the initial data sale, threat actors began distributing over 200,000 dehashed (cracked) username-password pairs for free on hacking forums, accessible to users who replied to forum threads or held upgraded accounts. Cybersecurity firm Cyble reported additional actors selling millions of dehashed credentials for $8,000, noting the database had circulated privately since April 2020 before becoming publicly available. Cyble acquired the database and enabled exposure checks through its AmIBreached platform. Tokopedia users were advised to assume their passwords could be cracked and to change credentials immediately, particularly if reused on other platforms. The breach heightened risks of targeted phishing campaigns leveraging the stolen personal data. Tokopedia reiterated its commitment to user data security but did not disclose technical details of the breach vector, remediation steps, or user notification processes beyond its initial statement.