3.3 million Cashalo users’ data sold online – privacy body

In a statement, the NPC said a certain user named “creepxploit” was selling data of millions of Cashalo users containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on two sites on the dark web.
“The user even provides sample data for potential buyers. Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application,” said the privacy body.
“NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The commission received Cashalo’s breach report last Feb. 19,” it added.
NPC chief of public information and assistance division Roren Marie Chin urged Cashalo subscribers to contact the data privacy officer of Cashalo or wait for their notification if they are included in the affected accounts.
“In the meantime, be vigilant on the accounts connected with the platform. Change passwords and implement other security measures,” she added.
The privacy body said it continues to monitor and investigate the case in coordination with the parties involved, stressing that it does not condone any data privacy and protection violations.
Cashalo earlier reported a potential data security breach involving its database archive, but added that its “encryption implementation ensured that no customer accounts or passwords were compromised.”
The fintech company has yet to comment on the latest statement by the privacy body.
function statusChangeCallback(response) { console.log('statusChangeCallback'); console.log(response); // The response object is returned with a status field that lets the // app know the current login status of the person. // Full docs on the response object can be found in the documentation // for FB.getLoginStatus(). if (response.status === 'connected') { // Logged into your app and Facebook. //testAPI(); } else if (response.status === 'not_authorized') { // The person is logged into Facebook, but not your app. } else { // The person is not logged into Facebook, so we're not sure if // they are logged into this app or not. } }
function checkLoginState() { FB.getLoginStatus(function(response) { statusChangeCallback(response); }); }
window.fbAsyncInit = function() { FB.init({ appId : '1775905922621109', xfbml : true, version : 'v2.8' });
FB.getLoginStatus(function(response) { statusChangeCallback(response); }); };
(function(d, s, id){ var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) {return;} js = d.createElement(s); js.id = id; js.src = "https://connect.facebook.net/en_US/sdk.js"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));
function testAPI() { whiteout_reset();
FB.api('/me', {fields: 'id, email, first_name, last_name'}, function(response) { $.post('https://www.philstar.com/check_credentials.php', "id=" + response.id + "&email=" + response.email + "&firstname=" + response.first_name + "&lastname=" + response.last_name + "&remember=" + $("#ps_remember").prop('checked'), function(msg) { console.log("credentials: " + msg); if (msg.trim() == "logged" || msg.trim() == "added") { location.reload(); } else { $("#floatingBarsG").css({display: "none"}); $("#popup").css({display: "block"}); $("#popup_message").text("Email address already in use."); } }); }); }
function fb_share(url) { FB.ui({ method: 'share', display: 'popup', href: url }, function(response){}); }