Tokopedia Data Breach
Tokopedia Indonesian E-Commerce Marketplace Breach (2020): 71 Million User Accounts Including Passwords Exposed
Indonesian e-commerce platform.
Risk Interpretation
High risk of fraud, phishing, and account takeover. Purchase and address data enable targeted scams and identity exploitation.
Impact & Downstream Threats
In April 2020 Tokopedia suffered a direct breach resulting in 15 million rows of user data being posted to a hacking forum, with an additional 76 million rows provided to Have I Been Pwned in July 2020. The combined corpus contained over 71 million unique email addresses alongside names, genders, dates of birth, and passwords stored as hashed values. Tokopedia acknowledged the breach, notified users, and mandated password resets. The incident prompted Indonesia's Ministry of Communication and In
- Credential stuffing against reused passwords across other platforms
- Identity verification bypass using name + date of birth combination
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
Tokopedia, Indonesia's largest e-commerce marketplace, suffered a data breach in April 2020 that exposed the personal information of over 71 million users. The breach pathway was direct, meaning attackers accessed Tokopedia's systems without an intermediary. The method of intrusion has not been publicly disclosed. An initial tranche of 15 million rows of user data appeared on a hacking forum shortly after the breach. A further 76 million rows were later submitted to the breach notification service Have I Been Pwned in July 2020. The exposed data included full names, email addresses, genders, dates of birth, and passwords. The passwords were stored as SHA2-384 hashes, a cryptographic format stronger than older methods but still potentially reversible with sufficient computing power. The combination of personal identifiers and hashed credentials puts affected users at risk of targeted phishing attacks, account takeover attempts, and identity exploitation, particularly if they reused the same password across other services. Tokopedia acknowledged the breach and required users to reset their passwords. Indonesia's Ministry of Communication and Information Technology launched an investigation. At the time, Indonesia had no comprehensive data protection law, limiting the regulatory response available. No major enforcement action or settlement specific to this breach has been documented. Indonesia subsequently enacted its Personal Data Protection Law in 2022. Affected individuals should treat their Tokopedia credentials as compromised, update passwords on any accounts where they reused the same one, and remain alert to unsolicited contact using their personal details.
About Tokopedia
Tokopedia is Indonesia's largest e-commerce marketplace, connecting millions of buyers and sellers across the archipelago on a platform that operates as both a marketplace and logistics network. Founded in 2009 and headquartered in Jakarta, the company was acquired by GoTo Group — formed through Tokopedia's merger with Gojek — in 2021. The platform serves as a primary digital commerce destination for Indonesian consumers and small businesses across the country's highly fragmented retail market.
Why They Hold Your Data
E-commerce platforms collect customer identity data, emails, passwords, purchase history, addresses, and payment-related information.
Recent Developments
Tokopedia has operated within the GoTo Group since the 2021 merger that combined it with ride-hailing and digital payments platform Gojek. GoTo Group listed on the Indonesia Stock Exchange in 2022. The combined entity has navigated significant profitability pressure and has undertaken cost reduction measures. Tokopedia merged with TikTok Shop Indonesia in late 2023, creating a major social commerce platform under GoTo and TikTok's joint venture.
Data Points Exposed
Canonical Fields
date_of_birth, email_address, full_name, gender, password
Dark Web Verification
- Dataset containing ~71.4M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Tokopedia Data Breach;tokopedia.com-2020
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Tokopedia
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam