MANILA, Philippines — Information of 3.3 million users of online lending application Cashalo are being sold over two sites on the dark web, the National Privacy Commission (NPC) said Tuesday.
According to NPC, its investigation on the Cashalo data breach revealed that usernames, passwords, e-mail addresses, phone numbers, and device identifications of users were being sold by a person using the username “crepxploit.”
NPC thinks creepxploit successfully downloaded files from Cashalo’s own database, which may indicate a violation of the app’s privacy measures, and then dumped the data on the dark web where it was sold starting February 14.
“A certain user named ‘creepxploit’ sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers, and device identifications on two sites on the dark web. The user even provides sample data for potential buyers,” NPC said.
“Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application. Creepxploit’s posts remain accessible as of writing,” it added.
Last February 20, Cashalo sent out a message to its customers saying they discovered a possible data breach involving their archive database last February 18. However, Cashalo — operated by Oriente Express Techsystem Corporation — claimed that no account or password has been compromised.
“The customer information that was alleged to have been illegally accessed include the usernames, emails, phone numbers, device ID, and encrypted passwords of Cashalo customers. Our encryption implementation ensured that no customer accounts or passwords were compromised,” Cashalo said in its message to customers.
“We want to be transparent about this incident with all our customers and reassure you that we are taking necessary measures. Protecting your privacy and data is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to you,” it added.
Cashalo operates a system wherein accredited users are allowed to purchase appliances and other products on an installment basis. The lending firm shoulders the initial cost of the product and the buyer settles the account on a fixed, interest-rated, and pre-agreed scheme.
As a precautionary measure, Cashalo advised customers to change their passwords and refrain from giving their passwords and other confidential and personal details through spam e-mail messages or by phone.
“Your existing Cashalo account password is protected by encryption. As a precaution, we encourage you to change your password. Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone,” the lending firm said.
NPC said that they requested additional information from Cashalo about the data breach while assuring the public that they would not condone any data privacy and protection violations.
“NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The Commission received Cashalo’s breach report last February,” NPC said.
“The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” it noted.