As many as 380,000 user accounts belonging to e-pay customers have allegedly been exposed in a data breach, causing their personal details to be compromised. The database – which was dated to be relevant as of January 2020 – was put up for sale on popular database marketplace forum, RaidForums, for a total sum of US$300 (approximately RM1,216).
The listing was first brought to public attention yesterday (3 February) by Twitter user @Bank_Security, an account that regularly highlights bank and cybersecurity threats committed globally. It was then picked up by a local IT-oriented Facebook page, OMG Hackers, and has since been extensively shared.
— Bank Security (@Bank_Security) February 2, 2021
Based on the screenshot captured, the database for sale contains various important details, such as the name, email and house address, date of birth, mobile number, and hashed password of the users. That said, a quick check by local tech portal, Lowyat.NET, earlier today revealed that the seller’s post has been taken down from RaidForums.
For context, e-pay Malaysia is a prominent e-payment service provider, known for offering prepaid top-up services for telcos, bill payment collection services, as well as online game, IDD, and e-wallet reloads. It is owned by GHL Systems Berhad, one of the pioneering payments processing companies in Malaysia. It also has presence in several other countries, including Singapore, the Philippines, and Australia.
In response to this alleged breach, GHL Systems has released a statement via Facebook saying that they are “currently investigating these serious allegations” and checking into their system. Additionally, it also reiterated that the allegations are only isolated to the e-pay online reload and bill payment collection system (E.V.E.); other e-pay and GHL businesses and operations are not impacted.
“The E.V.E. system operates on an independent standalone system which does not interfere with the technical operations of other e-pay and GHL merchant acquiring systems and servers,” said the company. It also urged its users to take precautionary measures by changing their passwords, and to avoid clicking on unverified email links that urge them to update their credentials.