The private data of 3.3 million clients of Philippine based lending application Cashalo are being sold on the dark web.

According to the National Privacy Commission (NPC), the investigation on the Cashalo breach showed that usernames, passwords, e-mail addresses, phone numbers, and device identifications of users were being sold by a hacker using the moniker “crepxploit.”

The NPC thinks the hacker creepxploit successfully downloaded files from Cashalo’s database, and dumped the information on the dark web where it was sold starting February 14.

A certain user named ‘creepxploit’ sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers, and device identifications on two sites on the dark web. The user even provides sample data for potential buyers,

Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application. Creepxploit’s posts remain accessible as of writing,

National Privacy Commission

On February 20, 2021, Cashalo sent out a message to its users informing them that they discovered a possible data breach involving their archive database on February 18. However, Cashalo (operated by Oriente Express Techsystem Corporation) has claimed that no account or password has been compromised.

In the message Cashalo said:

The customer information that was alleged to have been illegally accessed include the usernames, emails, phone numbers, device ID, and encrypted passwords of Cashalo customers. Our encryption implementation ensured that no customer accounts or passwords were compromised…

We want to be transparent about this incident with all our customers and reassure you that we are taking necessary measures. Protecting your privacy and data is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to you,

Cashalo message to users
Cashalo Data

Cashalo advised customers to change their passwords as a precaution and refrain from giving their passwords and other confidential and personal details through spam e-mail messages or by phone.

“Your existing Cashalo account password is protected by encryption. As a precaution, we encourage you to change your password. Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone,” the lending firm said.

NPC said that they have requested additional information from Cashalo and assured the public that they would not condone any data privacy and protection violations.

NPC on Cashalo Data Breach

“NPC immediately reached out to Cashalo through their information protection officer to relay the incident and required them to provide additional information. The Commission received Cashalo’s breach report last February,” NPC said.

“The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” it noted.