Online shopping app Lazada denies alleged data breach
MANILA, Philippines — Claims that the information of about 18 million users of Lazada Philippines was being sold online were denied by the e-commerce platform on Wednesday.
Lazada issued the statement after a Facebook post from an account called Infosecdad went viral, reportedly identifying “a threat actor on a Chinese hacking forum” selling personal information of the company’s customers.
READ: Lazada Philippines CEO reaffirms commitment to ‘Best Price, Best Experience’ in 2024
“According to the forum posting, the information for sale includes names, mobile numbers, email addresses (both personal and corporate), gender, ID/certificate numbers, dates of birth, and physical addresses. The data set comprises approximately 18 million records of personally identifiable information,” Infosecdad wrote, along with a screenshot of the purported information.
“This is a significant breach. The forum post is difficult to detect using standard OSINT (open-source intelligence) tools due to its location on a Chinese hacking forum and the use of Chinese characters,” it adds.
“Notably, the forum does not use aliases or handler names; members are identified solely by numbers,” the post further reads.
In response to this, Lazada assured the public that it was “committed to providing a safe and trusted ecosystem for consumers, brands, and sellers” and that data security was its “highest priority.”
“Upon close review, we have determined that the information shared in the post (by account name: Infosecdad) is completely false, and we have found no matches in our customer database,” it clarified.
Hours later, however, Infosecdad replied to Lazada’s post saying that “there is no breach and leak” and had observed a “discrepancy” in the information featured in the screenshot allegedly posted by the “threat actor.”
“So we don’t know the quality of the data, and the actor is selling the said information for 600 USD (P35,360.40). Thanks, Lazada, for the response,” the account said.
