Personal info of 3.3-M Cashalo users sold in dark web

Artist's rendition of cyber security hack
Image by Darwin Laganzon from Pixabay

MANILA, Philippines — Information on 3.3 million users of a mobile lending platform were found for sale in the dark web after a data breach last week, privacy regulators said on Tuesday.

Usernames, passwords, email addresses, phone numbers and other device information from Cashalo, the lending platform, were being sold by username “creepxploit” based on the initial investigation of the National Privacy Commission. 

The watchdog’s preliminary findings were in direct contrast with that of Cashalo, which reported just on Monday that no account has been compromised by a data breach last February 18. The company could not be immediately reached for comment. 

“The user may have successfully downloaded files from the database of the application, for which is still up for selling as of writing, February 22,” the privacy body said.

In fact, the infiltration of personal information was so extensive that the vendor, NPC said, even provided sample data to prospective buyers of the information, a direct threat to the privacy of the individuals who used the Cashalo service. 

On top of that, the stolen user information were likewise found posted on several online forums since February 14, including RaidForums, a database sharing platform. The data breach was discovered only 4 days after that on February 18, and was reported to authorities the following day beyond office hours at 9:58 p.m. through email.

“Given the facts of the report, the user may have successfully downloaded files from the database of the application, for which is still up for selling as of this writing, February 22, 2021,” NPC said.

Cashalo, a joint venture of Express Holdings Inc., a subsidiary of Gokongwei-led JG Summit Inc., and Oriente Express Techsystem Corp., previously assured that the accounts and passwords of affected users could not be accessed because they were supposedly encrypted. 

“The Commission intends to do further monitoring and investigation in cooperation with the parties involved— upholding its mandate in protecting personal information of data subjects,” NPC said.

Show comments