91 Million Tokopedia Account Data Leaked and Sold on Internet Forums


In early May 2020, Tokopedia was hit by a data leak of 15 million accounts. The account that leaked also said it owned and would sell 91 million Tokopedia user data. The data, which was previously traded for USD 5,000 or around Rp. 70 million, can now be downloaded for free.

Previously, on Saturday afternoon, July 4, 2020, a member of a Facebook group related to cybersecurity, which contains nearly 15 thousand members, provided a link to download 91 million Tokopedia data for free.

When traced, the link was sourced from an account called @Cellibis on the Raidsforum forum which had already shared it first on Friday 3 July 2020. The account shared almost free of charge on Raidforums which he previously got from how to buy the data on the darkweb of SGD 5000.

Responding to this, cybersecurity expert Pratama Persadha explained that this was a very valuable lesson. Tokopedia, according to him, clearly must be responsible because the user data they manage is leaked and of course many parties will use it for crimes.

"This proves that Tokopedia has really been hacked, unlike Tokopedia's previous explanation which said "only" there was a hacking attempt on its platform," he told JawaPos.com.

Even though it's free, at the time of downloading it is also not easy. Because this file is stored on an American server, you must use a VPN with an American IP.

Pratama explained, Raidforums has its own currency, and all members who register first can use it. Members can deposit money through the Paypal service for a minimum of EUR 8 which if converted into IDR 130 thousand will get 30 credits.

The man who also serves as Chairman of the Indonesian Cyber ​​Research Institute Cissrec (Communication and Information System Security Research Center) added that a payment is needed to get data for 91 million Tokopedia accounts, which is 8 credits. If it has been done, then a hosting link from a third party will appear and is ready to be downloaded with the results of the download in the form of .zip format with a data size of 9.5 Gb. Then, after extracting, the final file in the form of .txt is 28.5 Gb.

“But it doesn't mean that we can open a text file of that size, there must be a special application such as ultraedit to be able to open it. After that, we can see 91,174,216 data containing full names, account names, emails, online stores, date of birth, cellphone numbers, registration dates, as well as some encrypted data in the form of hashes," explained Pratama.

Then, he continued, easily with the search feature, the email keyword or phone number you want to search for can be easily found. According to his observations, as of Sunday (5/7) at 10.00 WIB, the link to download the data for 91 million Tokopedia accounts can still be accessed and there are 58 members who have downloaded it.

On the link it says the link will expire in the next 5 days. The leaked data is the same as in early May 2020, namely data taken per March 2020.

“The existence of 91 million data leaks proves how weak our laws and regulations that cover cyberspace and personal data are. Once again, the Personal Data Protection Bill must be completed immediately and must regulate sanctions and technology standards that are implemented for electronic system operators," he stressed.

Pratama explained that without strict rules for every electronic system operator, both state and private, there is no pressure to make the best system and maintenance. The GDPR (General Data Protection Regulation) gives us an example of how the derivative rules provide a list of what technologies must be applied, if there is a data leak, an inspection will be carried out and if something has not been done, a lawsuit can be imposed with a maximum value of EUR 20 million or around Rp. 320 billion more.

Read Also