The National Privacy Commission on Tuesday warned of a possible data breach concerning cash-loaning application “Cashalo,” with the private information of its 3.3 million users allegedly put up for sale online.
In a statement, Roren Marie Chin, chief of Public Information and Assistance Division of the NPC, said the agency did a preliminary probe on the data breach and found that a data-dump of Cashalo, operated by Oriente Express Techsystem Corporation, has been posted on different cyber forums since Feb. 14.
“A certain user under ‘creepxploit’ is selling the data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on the dark web as shared in a post on cybleinc.com and RaidForums – even provided sample data for potential buyers,” Chin said.
The seller, she said, may have successfully downloaded files from the Cashalo database, noting that the data-dump was still up for sale as of Monday.
The NPC has reached out to Cashalo through its data protection officer to coordinate on the breach and required the company to provide additional information.
She said the NPC has also received a breach report filed by Cashalo via email Friday last week.
“From this breach notification received, the Commission intends to do further monitoring and investigation in cooperation with the parties involved — upholding its mandate in protecting the personal information of data subjects,” Chin said.
As of Tuesday, the post on RaidForums.com on the alleged sale has been taken down.
Cashalo said its IT security team discovered Friday last week a potential data breach involving its database archive but assured its users that their accounts and passwords are encrypted and have not been compromised.
On Feb. 14, cybersecurity platform Cyble reported that about 3 billion data credentials were leaked on the dark web and included the full names, email, and other personal information of 3.3 million Cashalo users.