Tokopedia is Indonesia’s largest and most popular online e-commerce website with about 90 million monthly active users and 7 million+ registered merchants on the platform.
A hacker has leaked details of approximately 15 million registered users on Tokopedia. The hacker got access to a small portion of the entire Tokopedia user database and it is said to have taken place in March 2020.
As the hacker couldn’t crack the password since it is in the hashed form, he/she then posted it on a hacker forum so someone could help to find the passwords.
Following the incident, ZDNet managed to get a copy of the leaked file from the hacker forum.
It was a PostgreSQL database dump file that the hacker uploaded to the hacker forum.
On further investigation, they were able to find user data such as names, phone numbers, email addresses, passwords in the hashed form, DOB and other profile related info like joining date, last login, password reset codes, hobbies, education, about me fields and some other data of this sort.
The password in the leaked file is secured with an SHA-384 hashing algorithm and is not that easy to crack. This hashing technique is considered pretty secure enough and not that easy to crack.
To further increase the security of the hashed password, generally, a technique called ‘salting’ is employed. The same is the case here and the salt random string which is used to improve the security of the SHA-384 hashing algorithm is not available in this case. So, it would take some more time for anyone to crack the password or even come near to it.
All Tokopedia users are advised to change the password as soon as possible. As the salt string is not yet available, it will give more time for users to change the password. Tokopedia is currently investigating on the issue.