Cyber Incident Victim: Bukalapak

In early May 2020, reports emerged that a database containing approximately 13 million Bukalapak user records was listed for sale on RaidForum by an account named 'STARTEXMISLEAD.' The listing, dated May 4, 2020, claimed the data originated from February 2018 and included email addresses, IP addresses, names, usernames, dates of birth, geographic locations, website activity, and passwords encrypted with SHA-512/BCRYPT hashing. A subsequent May 8, 2020 listing by 'Megadimarus' added that 0.3 million email-password pairs had been cracked. Sample records showed extensive user details, including contact information, encrypted credentials, and timestamps from 2017. This incident followed closely after a reported breach at Tokopedia, another Indonesian e-commerce platform, raising concerns about systemic vulnerabilities.

Bukalapak's corporate communications head, Intan Wibisono, denied any new breach, attributing the circulating reports to a 2019 hacking attempt by suspected threat actor GnosticPlayers. The company maintained that no essential data—including passwords, personal identifiers, or financial information—had been compromised during that 2019 incident. However, the RaidForum listings directly contradicted these claims by specifying the extraction date as February 2018 and detailing extensive personal information exposure. The discrepancy remained unresolved, with Bukalapak reiterating its data security assurances while external evidence indicated potential unauthorized access to sensitive user attributes two years prior. No further investigative findings or remediation steps were disclosed by the company beyond these public statements.