TEMPO.CO, Jakarta - Millions of Tokopedia e-commerce user accounts have been breached. In fact, the owner of the @underthebreach Twitter account said the hacker had sold the Tokopedia database of 91 million accounts for US$5,000 (Rp74.5 million) on the Darknet.

Cyber security expert from Vaksin.com, Alfons Tanujaya, said that the breached information were usernames, email addresses, date of births, and telephone numbers. "Nearly 100 percent of Tokopedia user accounts have been breached," he told Tempo, May 3, 2020.

Alfons reminded two possible threats that might occur to the account holders, namely phishing and brute force. "Exploitation of email data, cellphone numbers and other sensitive data such as birth dates are very vulnerable to be used for phishing, scam and telemarketing activities," he said.

In computer terms, phishing is a form of fraud characterized by attempts to obtain sensitive information, such as passwords and credit cards, by posing as a trusted person or business in an official electronic communication, such as electronic mail or instant messages. While pure brute force uses computer to crack passwords.

According to Alfons, the brute force method is easily prevented. "Just give them time pendings, one mistaken password from the hacker means they get 10 minutes pending, twice means 20 minutes pending, three times means 40 minutes pending, and so on, so the hack will not work," he said.

Meanwhile, if phishing happens, the loss depends on the victim. "If the account holders were successfully deceived and not get an update, well they could easily enter their credentials into fake sites," he said.

Alfons said all online services were targeted by hackers. According to him, what happened in Tokopedia was still relatively not too dangerous. "It's still good to have a hash (encrypted) and has implemented TFA (Two Factor Authentication), so the user accounts are safe," he said.

Based on the test conducted by Vaksin.com, said Alfons, if there is someone who knows the username and password of the account holder after it was successfully breached, then there will be two factors of authentication.

"So the hacker will request verification to WhatsApp or SMS. If the user clicks on WhatsApp then a verification is sent to WhatsApp with a user login record from the new device."

"If you have never logged in from a new device, then Tokopedia verification suddenly appears, that means your credentials have been breached and you have to replace it. And never give the verification code you received to anyone, even if they claim to be from Tokopedia," Alfons said.

Meanwhile, Tokopedia's Corporate Communication VP Nuraini Razak confirmed that there was an attempt of data theft on its platform users. However, the company ensures that important user information, such as passwords, remains successfully protected.

"Although users' passwords and crucial information are still protected behind encryption, we encourage Tokopedia users to keep changing their account passwords regularly for security and convenience," Nuraini said.

CAESAR AKBAR | PETIR GARDA BHWANA