Personal data of 1.1 million RedMart user accounts stolen in Lazada breach and put up for sale

A Lazada spokesman said that the personal information stolen included names, phone numbers, encrypted passwords and partial credit card numbers. ST PHOTO: KELVIN CHNG

SINGAPORE - The personal information of 1.1 million RedMart user accounts was stolen from a customer database and put up for sale on an online forum.

A spokesman from e-commerce giant Lazada, which owns e-grocer Redmart, confirmed the data breach on Friday (Oct 30) and said that the personal information stolen included names, phone numbers, e-mail, mailing addresses, encrypted passwords and partial credit card numbers.

The company is in the process of reaching out to affected customers.

"Our cyber security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company," the spokesman said.

"This RedMart-only information is more than 18 months out of date and not linked to any Lazada database."

In a notification sent to affected users via e-mail and posted on its website, Lazada said the breach was discovered on Thursday as part of "proactive monitoring", and stressed that "current customer data" is not affected by the breach.

In a notification e-mail sent to affected customers, Lazada said it discovered the security breach on Oct 29 as part of its routine monitoring. PHOTO: ST READER

The company has also taken action to block unauthorised access to the database and informed the Personal Data Protection Commission (PDPC) of the breach.

A PDPC spokesman said the commission was aware of the incident and is currently investigating.

As a security measure, Lazada has logged every affected customer out of their existing accounts.

When these customers log in, they will be asked to create a new password. Customers were also advised to change their passwords frequently.

Lazada also warned customers to be on the alert for phishing e-mails, where scammers ask for sensitive information while pretending to be from Lazada.

"Lazada does not request customers to verify your personal information," the company said in the notification.

The breach likely happened due to an unsecured database on Magento - a commonly-used online retail payment platform - being exposed to the Internet without proper authentication, said Mr Stas Protassov, the co-founder and president of cyber-security firm Acronis.

"Although the data samples provided by the attackers are from 2019, it could still be used to create personalised phishing attacks, or even to (crack) the (encrypted) passwords for further attacks," Mr Protassov added.

"Therefore it's essential for customers to immediately change their passwords and stay vigilant for scam emails that might abuse this information in the near future."

Correction note: An earlier version of this story spelt Acronis president Stas Protassov's name wrongly. We are sorry for the error.

Join ST's Telegram channel and get the latest breaking news delivered to you.