MANILA, Philippines — Information of 3.3 million users of online lending application Cashalo are being sold over two sites on the dark web, the National Privacy Commission (NPC) said Tuesday.
According to NPC, its investigation on the Cashalo data breach revealed that usernames, passwords, e-mail addresses, phone numbers, and device identifications of users were being sold by a person using the username “crepxploit.”
NPC thinks creepxploit successfully downloaded files from Cashalo’s own database, which may indicate a violation of the app’s privacy measures, and then dumped the data on the dark web where it was sold starting February 14.
“A certain user named ‘creepxploit’ sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers, and device identifications on two sites on the dark web. The user even provides sample data for potential buyers,” NPC said.
TECHNOLOGY
TECHNOLOGY
TECHNOLOGY
“Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application. Creepxploit’s posts remain accessible as of writing,” it added.
Last February 20, Cashalo sent out a message to its customers saying they discovered a possible data breach involving their archive database last February 18. However, Cashalo — operated by Oriente Express Techsystem Corporation — claimed that no account or password has been compromised.