E-commerce retailer Lazada is blaming a third-party technology provder for allowing hackers to stealing personal data of 13 million users from its Thai platform.
Representatives of the Singapore-based company that is part of China’s Alibaba group claimed Lazada was a “victim” and did not leak the data which was advertised for sale on the internet on Friday.
The e-retailer claimed – and the Digital Economy and Society Ministry confirmed – that rival Shopee and the Line messaging app also were hit by hackers, although neither company has acknowledged any data breach.
The data leak is the second to hit Lazada in weeks. Earlier 1.1 million accounts were hacked in Singapore.
Lazada has begun and internal investigation and has been summoned by the digital ministry for a meeting on Monday.
The company said the leak came from a third-party tech provider, although the firm would not disclose the name of the partner nor the function its software supplied.
On Friday a hacker using moniker “Databox” posted on the Rad Forums that he had obtained 13 million records from Lazada – 12.3 million names, 9.3 million telephone numbers and 1.3 million emails.
Unlike past hacks, the a 50,000-record sample file was easily found on the open internet, versus the so-called “dark web”. Less than 130,000 of the records were for accounts held by non-Thais. But the records also included transaction dates, amounts, sales channel and channels.
No passwords or financial details were included.
The stolen data also is limited to 2018 and before, which is born out by the sample file.
While the data is old, it opens up millions of unsuspecting Lazada customers to email phishing schemes.
Lazada claims it has strictly followed data-protection standards and always emphasizes data privacy, despite the two hacks that indicate otherwise.