ORIGINAL STORY (12:52 PM): A significant number of user accounts belonging to local e-payment provider, E-Pay Malaysia has made their way to a popular database marketplace forum. According to the listing, the seller claims that the database which was dated January 2020 contained information belonging to 380,000 accounts. The listing was first noted by Twitter user @Bank_Security which often listed bank and cybersecurity threats from all over the world. The existence of the listing was then spread like wildfire after it was made viral by local IT-oriented Facebook page, OMG Hackers. https://twitter.com/Bank_Security/status/1356680787203002374 The seller claimed that the database contained a user name, e-mail address, date of birth, contact address, and a mobile phone number. However, the account password and related tokens have apparently been masked. Our quick check into the said forum showed that the listing has been removed though. That being said, we have discovered through a search cache that the seller is offering the database for just USD 300 (~RM 1,216).
Even though the listing is no longer there in the said forum, we highly recommend all E-Pay Malaysia’s customers and merchants out there to change your password. We are now attempting to reach out to E-Pay Malaysia for clarification as well as the Malaysia Computer Emergency Response Team who apparently have been alerted about the listing. UPDATE (8:15 PM): GHL Systems, the parent company of E-Pay Malaysia has responded to the database listing above by issuing a statement on its Facebook page: Based on our understanding of the statement above, the matter is now under investigations which means nothing is confirmed at the moment. In other words, GHL is still investigating whether the claim by the database seller is real or otherwise. That being said, the statement also noted that this so-called “unconfirmed report” only involves the E-Pay E.V.E system which covers online reload and bill payment collection. Nevertheless, GHL has advised its customers to change their passwords.