MANILA - Sensitive data of 3.3 million Cashalo users have allegedly been sold on the dark web, the country's privacy body said Tuesday.
The National Privacy Commission (NPC) said the published details include usernames, passwords, e-mail addresses, phone numbers, and device identifications of users of the cash-loaning app.
NPC's initial probe showed that a user under the name "creepxploit" sold data of Cashalo users on the dark web, as shared in a post on https://cybleinc.com and RaidForums. The post provided sample data for potential buyers.
In a statement, the NPC said these data were dumped into different cyber forums since Feb. 14.
User "creepxploit" may have successfully downloaded the files from the application's database, which is still up for selling, said the NPC.
Cashalo said their cybersecurity team discovered a potential data security incident on Feb. 18, involving a Cashalo-only database archive.
It said an individual claimed to be in possession of a Cashalo customer database taken from a non-production system used by the company. This resulted in unauthorized access to a database archive of Cashalo customers.
Cashalo said its encryption implementation ensured that no customer accounts or passwords were compromised.
The company said it has since taken the system offline, activated investigations, and conducted impact assessments. It is also currently working closely with the NPC.
The NPC received Cashalo's report evening of Feb. 19.
Cashalo said they are notifying affected users about the potential data breach.
Roren Marie Chin, Chief of the Public Information and Assistance Divison of the NPC, said subscribers may wait for a notification from the Cashalo if they are included in the list of the affected accounts.
She advised Cashalo users to be vigilant with their accounts, change passwords, and implement other security measures.
report from Jacque Manabat, ABS-CBN News