Hacker sells 26 million user records on the dark web, including 13 million from Indonesian e-commerce unicorn Bukalapak

Gnosticplayer strikes again. The latest batch includes user account information from two Indonesian sites

A hacker using the pseudonym Gnosticplayers put data from 26 million user accounts on sale on a dark web marketplace, asking 1.2431 bitcoins (roughly US$5,000), ZDNet reported.

Half of those user records were lifted from Indonesian e-commerce site Bukalapak, one of the country’s major players alongside regional competitors Lazada and Tokopedia.

According to ZDNet, the hacker is offering sensitive information, including usernames, real names, email addresses, password hashes, and shopping histories.

Bukalapak’s head of corporate communications Intan Wibisono told KrASIA today that the company is aware of an attempt to breach Bukalapak’s servers a while ago, but says that hacker did not manage to obtain important data like passwords, financial details, and other private information.

“We are always strengthening the security of our platform to ensure user safety on Bukalapak,” Wibisono told KrASIA. “We always remind users to pay closer attention to safety with online transactions. We advise users to change their passwords routinely and to active two-factor authentication. We also advise our users to always keep their password secure and to follow Bukalapak’s security guide.”

Bukalapak wasn’t the only one affected.

Gnosticplayer, who is said to be from Pakistan, has reportedly stolen data from dozens of sites from various countries. He or she has been putting the information on sale in batches since February. The affected sites include US-based Dubsmash, Israel-based MyHeritage, EyeEm from Germany, and more.

The 13 million accounts taken from Bukalapak’s servers are part of the fourth batch, and this is the first time Indonesian user accounts are among those sold by Gnosticplayer. Besides Bukalapak, account data from 1.1 million users of YouthManual, an Indonesian student and career site, were also part of the package.

According to the information that the hacker provided about this data set, the breach of Bukalapak happened in 2017.

KrASIA has asked Bukalapak to share more details about the chronology of the breach and what it means for the platform’s users.

Editor: Brady Ng