Personal data from 1.1 million RedMart accounts stolen: Lazada

The stolen information was from a Redmart-only database that had not been updated since more than 18 months ago last March. PHOTO: SCREENGRAB FROM REDMART.LAZADA.SG
Lester Wong
Updated
Oct 31, 2020, 03:22 PM
Published
Oct 31, 2020, 05:00 AM

The personal information from 1.1 million RedMart user accounts was stolen from a customer database and put up for sale on an online forum.

A spokesman for e-commerce giant Lazada, which owns e-grocer RedMart, confirmed the data breach yesterday, and said that the personal information stolen included names, phone numbers, e-mail and mailing addresses, encrypted passwords and partial credit card numbers.

The company is in the process of reaching out to affected customers.

"Our cyber-security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company," the spokesman said.

"This RedMart-only information is more than 18 months out of date and not linked to any Lazada database."

In a notification sent to affected users via e-mail and posted on its website, Lazada said the breach was discovered on Thursday as part of "proactive monitoring", and stressed that "current customer data" is not affected by the breach.

The company has also taken action to block unauthorised access to the database and informed the Personal Data Protection Commission (PDPC) of the breach.

A PDPC spokesman said the commission is aware of the incident and is currently investigating it.

As a security measure, Lazada has logged all affected customers out of their existing accounts. When these customers log in, they will be asked to create a new password.

Customers have also been advised to change their passwords frequently.

Lazada also warned customers to be on the alert for phishing e-mails, where scammers ask for sensitive information while pretending to be from Lazada.

"Lazada does not request customers to verify your personal information," the company said in the notification.

HOW BREACH WAS UNCOVERED

Our cyber-security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company... This RedMart-only information is more than 18 months out of date and not linked to any Lazada database.
SPOKESMAN FOR LAZADA

The breach likely happened due to an unsecured database on Magento - a commonly used online retail payment platform - being exposed to the Internet without proper authentication, said Mr Stas Protassov, co-founder and president of cyber-security firm Acronis.

"Although the data samples provided by the attackers are from 2019, it could still be used to create personalised phishing attacks or even to (crack) the (encrypted) passwords for further attacks," Mr Protassov added.

"Therefore, it is essential for customers to immediately change their passwords and stay vigilant for scam e-mails that might abuse this information in the near future."

Correction note: An earlier version of this story spelt Acronis president Stas Protassov's name wrongly. We are sorry for the error.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on October 31, 2020, with the headline Personal data from 1.1 million RedMart accounts stolen: Lazada. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top