One of the famous, or perhaps the most popular e-commerce platform in the world today, Lazada – a Chinese owned global business had just suffered a massive data breach a few days ago. The Alibaba-owned business firm revealed the bad news and specified that the intrusion was on one of their grocery affiliates, RedMart, in Singapore.
An immediate yet short statement was given by one of their spokespersons – “The user information that was illegally accessed includes names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers.”
Upon discovering, their business and security team immediately took action and blocked access to the database, as mentioned above. The security team has explicitly indicated that no current customer information was compromised during the said intrusion. That definitely is a bold claim coming from the firm considering that there’s a reported leak of more than 1 Million user records from the displayed data breach being sold now on the Dark Web for the measly amount of US$1,500.
The hacking group responsible for the intrusion immediately claimed the hacking and retrieval of the more than 1 Million Lazada user records as posted on a Dark Web forum.
According to the group, they could penetrate the firm’s secure database – one of Lazada’s MongoDB. Valued at billions of dollars, Lazada has been operating seamlessly, mostly in Asian countries.
As detailed by the hackers, each of the leaked user accounts contained passwords, phone numbers, email addresses, parts of credit, and debit cards (4-8 digits), including the expiration dates. These are just the standard sets of information per user record, which means that some users are more exposed than others. Lazada’s security team immediately coordinated and sent out emails and notices to their users, informing them of the breach and that their data might’ve been compromised. It also stated that the leak was discovered via one of their network’s active monitoring systems.
The security team also scoured the neighboring databases for any other security vulnerabilities to ensure that there aren’t any more affected. After exploring the leak’s extent, they immediately identified that the downloaded information was quite old and outdated, about 2-years old to be exact. Lazada also indicated on their statements that the data is not easily accessible, assuring their customers and users that their personal information and passwords are fully encrypted.
However, data investigation from security researchers reveals several user account information that is still relatively new – from May to July of this year. The researchers also explicitly stated that SHA-1 encryption for user passwords can be easily bypassed by threat actors or hacking groups if they wanted to, thereby making Lazada’s claim of secure information useless.