The personal information from 1.1 million RedMart user accounts was stolen from a customer database and put up for sale on an online forum.
A spokesman for e-commerce giant Lazada, which owns e-grocer RedMart, confirmed the data breach yesterday, and said that the personal information stolen included names, phone numbers, e-mail and mailing addresses, encrypted passwords and partial credit card numbers.
The company is in the process of reaching out to affected customers.
“Our cyber-security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company,” the spokesman said.
“This RedMart-only information is more than 18 months out of date and not linked to any Lazada database.”
In a notification sent to affected users via e-mail and posted on its website, Lazada said the breach was discovered on Thursday as part of “proactive monitoring”, and stressed that “current customer data” is not affected by the breach.
The company has also taken action to block unauthorised access to the database and informed the Personal Data Protection Commission (PDPC) of the breach.
A PDPC spokesman said the commission is aware of the incident and is currently investigating it.
As a security measure, Lazada has logged all affected customers out of their existing accounts. When these customers log in, they will be asked to create a new password.
Customers have also been advised to change their passwords frequently.
Lazada also warned customers to be on the alert for phishing e-mails, where scammers ask for sensitive information while pretending to be from Lazada.
“Lazada does not request customers to verify your personal information,” the company said in the notification.
The breach likely happened due to an unsecured database on Magento – a commonly used online retail payment platform – being exposed to the Internet without proper authentication, said Mr Stas Potassov, co-founder and president of cyber-security firm Acronis.
“Although the data samples provided by the attackers are from 2019, it could still be used to create personalised phishing attacks or even to (crack) the (encrypted) passwords for further attacks,” Mr Potassov added.
“Therefore, it is essential for customers to immediately change their passwords and stay vigilant for scam e-mails that might abuse this information in the near future.”