Cashalo: 3.3 Million Users’ Data Sold On The Darknet


The Philippine-based online lending application Cashalo had been suffering from a massive data loss. Data of 3.3 million users had been sold over two dark web websites, as the National Privacy Commission (NPC) stated.

As per NPC, it had conducted an investigation on the data breach of Cashalo, which had yielded email addresses, phone numbers, usernames, passwords and the users’ device identifications that were being sold on the dark web by an alias “creepxploit”.

NPC believes that creepxploit had successfully downloaded the files from the database of Cashalo that may point to the violation of the application’s privacy measures. Then the data had been dumped on the dark web that stated it had been sold on and from the 14th of February, 2021.

“A certain user named ‘creepxploit’ sells data of 3.3 million users of Cashalo containing their usernames, passwords, email addresses, phone numbers, and device identifications on two sites on the dark web. The user even provides sample data for potential buyers,” NPC said.

“Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application. Creepxploit’s posts remain accessible as of writing,” it added.

On the 20th of February 2021, Cashalo had sent out a message to all its customers stating that they had possibly discovered a data breach on the 18th of February. However, the Oriente Express Techsystem Corporation operated Cashalo had claimed that none of the accounts and passwords had been compromised in the data theft.

“The customer information that was alleged to have been illegally accessed include the usernames, emails, phone numbers, device ID, and encrypted passwords of Cashalo customers. Our encryption implementation ensured that no customer accounts or passwords were compromised,” Cashalo said in its message to customers.

“We want to be transparent about this incident with all our customers and reassure you that we are taking necessary measures. Protecting your privacy and data is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to you,” it added.

The application, Cashalo, operates a system where accredited users are permitted to buy appliances and other products based on instalments. The lending company bears the initial cost of the product, after which the buyer settles the account on a pre-agreed scheme with a fixed interest rate.

Owing to a precautionary measure, Cashalo had advised its customers to change their passwords and abstain from giving out their passwords along with other confidential information via phone or spam email messages.

“Your existing Cashalo account password is protected by encryption. As a precaution, we encourage you to change your password. Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone,” the lending firm said.

NPC had stated that they urged additional information from the app regarding the stolen data. At the same time, they assured the public that they would not excuse any data protection and privacy violations.

“NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The Commission received Cashalo’s breach report last February,” NPC said.

“The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” it noted.

Source: Inquirer

Disclaimer: Read the complete disclaimer here.


Please enter your comment!
Please enter your name here