What happened
According to public breach records, the Tokopedia data breach on April 17, 2020 is reported to have exposed the personal information of 71,443,698 accounts.
In April 2020, Indonesia's largest online store Tokopedia suffered a data breach. The incident resulted in 15M rows of data being posted to a popular hacking forum. An additional 76M rows were later provided to HIBP in July 2020. In total, the data included over 71M unique email addresses alongside names, genders, birth dates and passwords stored as SHA2-384 hashes.
In May 2020, the breach-monitoring service Under the Breach surfaced data from Tokopedia, Indonesia's largest e-commerce platform, traced to a March 2020 intrusion. An exported PostgreSQL database with roughly 91 million user records — including names, email addresses, dates of birth, genders, and hashed passwords (with phone numbers in some records) — first appeared for about 15 million accounts on a hacker forum, then the full set was offered on dark-web marketplaces for around $5,000 and reportedly sold at least twice. Although Tokopedia stated passwords remained protected by hashing, threat actors quickly cracked and freely shared over 200,000 dehashed credentials.
What data was exposed
The following types of personal data were compromised:
- Dates of birth
- Email addresses
- Genders
- Names
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | Tokopedia |
| Date | April 17, 2020 |
| Accounts affected | 71,443,698 |
| Domain | tokopedia.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Tokopedia; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Tokopedia password immediately, and change it anywhere else you reused the same password — cracked credentials from this dump were shared publicly, making password reuse a direct account-takeover risk.
- Enable two-factor authentication on Tokopedia and on any account that shared the exposed email or password.
- Treat unsolicited emails referencing your name or date of birth with suspicion — the leaked email-plus-name-plus-DOB combination is ideal material for targeted phishing and identity-verification scams.
- Be alert that your date of birth was exposed; avoid using it as an answer to security questions and watch for attempts to use it to impersonate you when verifying identity.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Hacker sells 91 million Tokopedia accounts, cracked passwords shared — BleepingComputer
- Tokopedia Breach: 91 Million Records for Sale on Dark Web — Infosecurity Magazine
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →