Hashed Passwords and Password Reset Codes Have Been Leaked in a Massive Tokopedia Data Breach

Last week, data breach monitoring service Under the Breach noticed an interesting post on a popular hacking forum. The author was offering 15 million user records stolen from Tokopedia, one of Indonesia's biggest ecommerce platforms, completely free of charge. The data was stolen in March this year, and the person sharing it claimed that it was a part of a much bigger dump, which he intended to monetize. Indeed, a day later, Under the Breach said that "the same actor" was selling a whopping 91 million Tokopedia records for $5 thousand on a dark web marketplace.

Predictably, people started asking questions, and, far from denying the breach, Tokopedia held a meeting with representatives of some Indonesian government agencies to clear things up. According to The Jakarta Post, during it, Johnny Plate, the country's Communication and Information Minister, was assured that shoppers' "user accounts and financial data are safe." But is this really the case?

Hackers stole hashed passwords and are trying to find a way of cracking them

It might seem a bit strange at first. On the one hand, data was indeed stolen, but on the other, people don't need to worry about their accounts. The confusion comes from the fact that The Jakarta Post shared no technical details with its readers. Fortunately, ZDNet did.

The good news is, Tokopedia is not storing passwords in plaintext. When he shared the first 15 million records for free, the person responsible for the breach asked his fellow hackers to help him crack the login credentials stored in the database. According to ZDNet, this is no mean feat. The passwords were apparently hashed with SHA2-384, and the hacker himself admitted that he couldn't pilfer the cryptographic salts used to improve the security of the hashing algorithm. As a result of all this, turning the hashes into plaintext passwords and logging into people's accounts would be pretty hard.

This is why Johnny Plate said that Tokopedia users' accounts are safe, and this is why the hacker is selling the dump for a relatively modest $5 thousand. Unfortunately, it doesn't mean that people should relax.

Affected Tokopedia users face a number of threats

As ZDNet pointed out, SHA2-384 might be considered secure, but this doesn't mean that it's infallible. Recently, for example, hackers stole a database from Quidd, a platform for trading digital collectibles, and they were initially disappointed to learn that the passwords had been hashed with bcrypt, another strong hashing algorithm. Some of the crooks did decide to give it a go, however, and inevitably, a portion of the hashes were cracked.

Even without the passwords, the people who get their hands on the Tokopedia data could be looking at a number of attack opportunities. After skimming through a copy of the initial dump, ZDNet said that the records contain quite a lot of personal information like names, emails, dates of birth as well as a ton of profile-specific details like account creation dates, location information, education, about-me fields, etc. Apparently, password reset codes were also leaked, though it remains unclear whether they're valid.

It was a massive data breach, and the hacker took off with quite a lot of information, which can help cybercriminals devise a number of different scams. Tokopedia account owners should be a bit more careful from now on.