S’pore Influencer Shows How Easy It Is to Hack Into Company’s Database to Retrieve Customers’ Personal Details

While hacking may have seemed like some kind of secret-society-in-movies activity in the past, most of us nowadays know that that’s not the case.

In particular, one local lifestyle influencer has put that stereotype aside to do some intense digging.

Xavier Lur, a 28-year-old influencer on Twitter, recently took the issue of companies’ databases not being secure enough into his own hands.

On Saturday (28 May), he took to Instagram stories to share his experience of trying to hack into local companies’ databases, proving just how easy it is to retrieve customers’ information if the companies are not careful enough.

In his first Instagram story, he wrote, “It is concerning that there are many brands out there who don’t take customer personal data seriously.”

He also shared an article regarding the fine that was issued to local fashion brand Love, Bonito after customer information was leaked in 2019.

The leak was a result of a malicious code being added to its website.

As of now, Love Bonito has said that it has made “significant improvements” to its data security systems.

The Actual Digging: Hacked into Two Companies’ Databases

Through some digging and utilising codes, Lur managed to hack into the database of two unnamed companies in Singapore.

Of course, Lur only retrieved his own personal information after hacking into the databases.

He also mentioned that he contacted the respective companies to inform them about the loopholes in their security systems.

In addition, he also informed the Personal Data Protection Commission (PDPC), the main authority in charge of personal data protection in Singapore, about the flaws.

Brand A

According to his Instagram stories, Lur first hacked into the database of “Brand A”, which is “a well-known brand with operations in Singapore and some other markets”.

“Anyone with basic technological knowledge is able to easily extract the customer data, which includes name, mobile, email and DOB without any authorisation keys needed,” he added.

He then posted a screenshot indicating that he had extracted his personal information from the database.

Even though Lur did not try to do so, hackers would be able to retrieve the information of every customer in the database through this loophole.

Brand B

Lur described the other company that he managed to hack into as a “well-known local brand”.

And it seems like hacking into the database of this company might result in more severe consequences.

“The brand’s MPGS credit card payment gateway username and password exposed in the company’s Android app (anyone can download the app from the Google Play Store and view the source code),” Lur explained.

In layman terms, the information from the Mastercard Payment Gateway Services (MPGS) that customers key in can be easily retrieved just by installing the brand’s Android application and retrieving the source code from there.

Even though such a breech is not directly linked to personal data, Lur pointed out that it might end up causing “financial impact” to the company as hackers can use the information to carry out a series of different actions.

“While one isn’t able to do much with this info alone, it makes it very easy to create unauthorised charges on customers’ credit cards or retrieve credit card-related data (their app allows saved cards) if a hacker manages to access the list of saved card tokens,” Lur wrote in a separate story.

He also demonstrated how hackers can do so by trying it out himself and successfully generating a payment session as a hacker.

Other transactions that hackers or third parties can conduct include issuing refunds to customers even if the company has delivered the goods and services.

However, there is still the issue of one-time passwords (OTPs) sent to customers that may prevent such transactions from being completed, but Lur did not mention them in his series of Instagram stories.

Join our Telegram channel for more entertaining and informative articles at https://t.me/goodyfeedsg or download the Goody Feed app here: https://goodyfeed.com/app/

Importance of Remaining Alert Regarding Cybersecurity

In a previous interview with Mothership, Chief Executive of the Cyber Security Agency (CSA) David Koh emphasised that Singaporeans may be more trusting and complacent with where and how they key in their personal information online.

This is largely due to the physically safe environment that Singapore provides its citizens with, making most of us believe that our cyberspace is completely safe as well.

However, that may not be the case as seen from Lur’s experience.

Based on CSA’s Cybersecurity Public Awareness Survey 2020, 78% of respondents knew about the risks of not installing cybersecurity applications on their phones.

However, only 39% of the respondents had these applications installed on their phones.

Koh also touched on how it may take a prolonged period of time for users to realise that their personal or financial information has been leaked online, and that most may not feel the impact of such incidents immediately.

This is especially so when compared with physical crimes where victims will know instantly when they are in trouble.

Read Also:

Featured Image: Instagram (@xavierlur)