Lazada Suffers Breach, Hackers Sell Data Online for $1,500

Singapore-based online grocery platform RedMart is the latest victim of a data breach, following an unprotected Lazada MongoDB data set with 1.1 million accounts.

Hackers are reportedly selling RedMart accounts for $1,500 each, containing email addresses, SHA-1 hashed passwords, complete names, phone numbers, mailing addresses, partial credit card numbers, and expiration dates.

It can be recalled that Lazada integrated RedMart into its platform in 2016, and the integration to the app was successful. Meanwhile, security oversight undermines the importance of a proper integration strategy that would merge the company data into one.

Lazada Suffers Data Breach

Transitioning the customer’s data is as important as other steps in securing company information. The news broke last Friday, with hackers informing BleedingComputer that they’ve obtained Lazada’s database.

The hackers claimed that the data set isn’t standardized, and ‘some rows have more information than others.’ Prior to this news, Lazada has sent out notifications to impacted customers, stating that they’ve discovered the breach during a proactive systems monitoring.

“The customer data hosted on this database is more than 18 months out of data, as it was last updated in March 2019,” stated the company. On the contrary, BleedingComputer published an evidence that the stolen database contains records with registration dates in May and July this year.

RedMart customers were automatically logged out of their accounts as part of the security protocol of Lazada. Everyone was prompted to reset their passwords before logging into the system once again.

Lazada states that the breach only happened on the RedMart database, with ‘out-of-date’ customer data. The company said it pushes for immediate action to block the illegal access and inform the customers affected.

Poor Integration and User Experience

Two years following Lazada’s acquisition of RedMart, the company decided to integrate the platform into its mother application. RedMart accounts were formally integrated on March 15 last year, the same month the compromised data was ‘updated.’

Existing RedMart customers criticized the move, citing poor shopping experience from the Lazada app. When the integration was completed, customers were forced to use Lazada’s ‘cluttered and difficult to navigate’ platform.

Lazada also failed to include RedMart’s popular features, including the ability to schedule orders and access the favorite items on the list. Customers cite RedMart’s clean and streamlined interface that they love.

While Lazada claims RedMart is only affected, it’s difficult to confirm as the information was moved into its platform. Customers need to access the Lazada platform before they could head to the RedMart section.

Lazada also faces backlash regarding its security hygiene and is about to answer to Singapore authorities in the coming weeks.