Reports have surfaced that personal details of at least 380,000 e-pay Malaysia customers are being allegedly sold on an online data-sharing forum for USD 300. The transaction was highlighted on Twitter and shared on Facebook at 3 a.m. on Thursday.
From what we can see of a sample record that has since been deleted on the forum, data being leaked consists of names, full addresses, passwords, mobile phone numbers, and more. It’s unclear whether or not the payment gateway itself has been hacked. This might just be a website hack through e-pay.com.my, as the details shared in the leak line up with the website’s user info field.
Other products like the online payment gateway and terminal might not be affected, as we haven’t seen any victims sharing on social media that their financial accounts have been affected yet. To be on the safe side though, e-pay Malaysia customers should change their username and passwords, even if they may not be one of the 380,000 users affected. Additionally, users should consider deactivating or deleting their accounts until e-pay Malaysia makes an official statement on this, or at least avoid making any transactions through the site for the meantime.
E-pay is Malaysia’s largest prepaid top-up and bill collection network. Its merchants include telcos, such as Hotlink, DiGi, and Celcom XPAX, online gaming sites, like Steam, Razer Gold, and PlayStation, and retail outlets that include Petronas, Aeon, MyNEWS, Petron, MyDin, and Mr DIY. The firm also services most card and e-wallet payments such as Visa, MasterCard, GrabPay, and Touch ‘n Go eWallet.
On Thursday evening, the e-pay Malaysia team responded with a media statement to acknowledge the issue. “The GHL Group on behalf of e-pay Malaysia stated that the above allegations are isolated only to the e-pay online reload and bill payment collection system (EVE),” it said.
“The EVE system operates on an independent standalone system which does not interfere with the technical operations of other e-pay and GHL merchant acquiring systems and servers, so their other businesses and operations will not be impacted,” the company added.
As investigations are still being conducted, it advises EVE users to go to the official website and change passwords as precautionary measures, and avoid clicking on unverified email links urging them to update their credentials.
This article was originally published by Vulcan Post.