Cyber Incident Victim: eSewa

On October 9, 2023, reports emerged that eSewa, a prominent Nepali digital payment platform, experienced a data breach compromising user information including email addresses, phone numbers, passwords (displayed with asterisks), and wallet balance amounts. A hacker using the Twitter handle @aparich95406002 publicly leaked details of at least 21 users, though the exact scope of affected accounts remained unconfirmed. The tweet containing this data was subsequently removed by Twitter for policy violations. This incident followed earlier public speculation about a potential breach after eSewa proactively advised users to change their passwords via web browsers. The breach raised significant concerns due to the sensitivity of financial data stored in eSewa’s mobile wallets, though no confirmed cases of stolen funds were reported at the time.

eSewa officially denied suffering a direct breach, attributing the incident to third-party phishing scams that illegally accessed user credentials. In a Friday statement preceding the hacker’s data dump, the company claimed all platform data remained encrypted and secure, while urging affected users to reset passwords. Social media reactions highlighted user frustration over transparency, with individuals like Shisir Khanal publicly questioning why passwords appeared unencrypted in the leaked data and criticizing eSewa’s communication. This incident echoed broader cybersecurity challenges in Nepal’s digital ecosystem, following similar 2023 breaches at Foodmandu (50,000 users) and Vianet (170,000 customers). Historical concerns about eSewa’s data security resurfaced, including March 2020 allegations involving unethical hacking by a prime ministerial IT consultant, amplifying public anxiety over financial data protection despite the lack of confirmed monetary losses from this breach.