Lazada suffers data breach, 1.1 million RedMart accounts compromised and put up for sale

Singapore-based Lazada group was a victim of a data breach on October 29, which was confirmed on the next day. On a routine systems check, the company discovered that 1.1 million RedMart accounts had been compromised. The data from these accounts that were leaked involved names, phone numbers, e-mail, mailing addresses, encrypted passwords and partial credit card numbers.

Lazada, an e-commerce company owned by the prolific Alibaba Group, discovered an anonymous individual who claimed to be in possession of leaked data from a legacy RedMart database. However, a spokesperson for the company said that this database was “no longer in use”. Moreover, the leaked database was reportedly last updated in 2019 and has no links to Lazada.

“We have taken immediate action to block unauthorised access to the database,” the Lazada spokesperson said.”Protecting the data and privacy of our customers is a top priority, and we are working swiftly to resolve this.”

Counteroffensive measures

Lazada immediately logged out all existing users from their accounts. Following this, the company asked the users to change their passwords when they logged in next. 

In a notification email, Lazada alerted its customers that it had discovered the security breach and was working actively to curb it. “For the avoidance of doubt, Lazada’s current customer data is not affected by this incident,” the email clarified. 

The company also advised customers to be alert on the prospect of phishing scams. Characteristically, hackers impersonate popular companies to exfiltrate user credentials.  Lazada has contacted the Personal Data Protection Commission (PDPC) of the breach, and an investigation is in progress.