Email addresses and other information about 3.3m clients of money-lending app Cashalo in the Philippines is being offered for sale on the dark web, a preliminary investigation by the Philippine National Privacy Commission (NPC) has shown.

In response, Cashalo says it is notifying affected customers about the incident and is providing support to help them manage any potential risks.

The NPC acted after reports of an alleged data breach of the app, operated by Oriente Express Techsystem of Hong Kong.

“Initial findings show that huge amounts of personal data from Cashalo have been dumped and sold on different cyber forums since 14 February,” the NPC said.

“A certain user named ‘creepxploit’ sells data of 3.3m users of Cashalo containing their usernames, passwords, email addresses, phone numbers and device identifications on two sites on the dark web. The user even provides sample data for potential buyers.

“Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application,” the commission added.

The company has provided a breach report to the commission, which says it continues to monitor and investigate the matter with the parties involved. 

Cashalo says its cyber security team discovered a potential data breach on 18 February involving a database. Taken from a non-production system the company uses, the Cashalo-only archive included some combinations of usernames, email, phone numbers, device ID, and encrypted passwords. 

“Our encryption implementation ensured that no customer accounts or passwords were compromised,” Cashalo added.

“We have since taken the system offline and activated investigations, working closely with cyber security experts and the relevant authorities, including the Philippines’ National Privacy Commission. Protecting the data and privacy of our users is of utmost importance to us.”

The company is conducting a thorough impact assessment to determine the nature and extent of data that has been potentially accessed, it said.

An NPC spokeswoman urged Cashalo subscribers to be vigilant with their accounts, change passwords and implement other security measures, The Philippine Star newspaper reported.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox