Sensitive information of Cashalo users has been sold on the dark web, NPC said on Tuesday.
The National Privacy Commission (NPC) on Tuesday warned of possible data breaches in connection with the “Cashalo” loan application, with details of its 3.3 million users allegedly being sold online.
The National Privacy Commission (NPC) said published information included usernames, passwords, email addresses, phone numbers, and identification of users of the loan application.
In a statement, Roren Marie Chin, head of the NPC’s Public Information and Assistance Division, said the organization had conducted an initial data breach investigation and found that Cashalo’s data disposal, conducted by Oriente Express Techsystems Corporation, had been sent to various cyber forums since February 14.
An initial NPC investigation has revealed that a user called “creepxploit” has sold Cashalo user data on a dark web, as shared in posts on https://cybleinc.com and RaidForums. The post provided sample data for potential buyers.
He said the vendor may have successfully downloaded files from Cashalo’s database and realized that the data depot would be sold on Monday.
Cashalo said their cybersecurity team had detected a potential data security incident on February 18, which only affected Cashalo’s database.
The NPC contacted Cashalo for their information protection assistance to contact the offender and required them to provide additional information.
It said someone claimed to have a database of Cashalo customers taken from a non-productive program used by the company.
This has led to unauthorized access to Cashalo customer archiving.
Cashalo said its use of secrecy ensures that no customer accounts or passwords are compromised.
As of Tuesday, RaidForums.com’s post on the alleged sale has been removed.
Cashalo said he was informing affected users about possible data breaches.
He advised Cashalo users to monitor their accounts, change passwords, and use other security measures.