Tokopedia 2020 Data Breach

Tokopedia Indonesian E-Commerce Marketplace Breach (2020): 71 Million User Accounts Including Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

RetailIndonesiaDate of BirthEmail AddressFull NameGenderPassword
Low SeverityWebsite / service breach

Tokopedia Indonesian E-Commerce Marketplace Breach (2020): 71 Million User Accounts Including Passwords Exposed

Indonesian e-commerce platform.

Verified by ObscureIQ Intelligence
12/100Breach Risk Index
5Data Value
10Market Recency
2186dSince Breach

Breach Intelligence Summary

Entity: Tokopedia · Actor: Unknown · Sources: 8 references
Attack: Unknown
Profile: Platform · E-commerce marketplace · Consumer marketplace platform · Indonesia
Timeline: Breach (2020-04-17) · Indexed (May 02, 2020) · Year (2020)
Exposure: 71.4M records · 5 fields: Date of Birth, Email Address, Full Name, Gender, Password
Status: Confirmed

Executive Summary

Tokopedia, Indonesia's largest e-commerce marketplace, suffered a data breach in April 2020 that exposed the personal information of over 71 million users. The breach pathway was direct, meaning attackers accessed Tokopedia's systems without an intermediary. The method of intrusion has not been publicly disclosed. An initial tranche of 15 million rows of user data appeared on a hacking forum shortly after the breach. A further 76 million rows were later submitted to the breach notification service Have I Been Pwned in July 2020. The exposed data included full names, email addresses, genders, dates of birth, and passwords. The passwords were stored as SHA2-384 hashes, a cryptographic format stronger than older methods but still potentially reversible with sufficient computing power. The combination of personal identifiers and hashed credentials puts affected users at risk of targeted phishing attacks, account takeover attempts, and identity exploitation, particularly if they reused the same password across other services. Tokopedia acknowledged the breach and required users to reset their passwords. Indonesia's Ministry of Communication and Information Technology launched an investigation. At the time, Indonesia had no comprehensive data protection law, limiting the regulatory response available. No major enforcement action or settlement specific to this breach has been documented. Indonesia subsequently enacted its Personal Data Protection Law in 2022. Affected individuals should treat their Tokopedia credentials as compromised, update passwords on any accounts where they reused the same one, and remain alert to unsolicited contact using their personal details.

ObscureIQ assessment: High risk of fraud, phishing, and account takeover. Purchase and address data enable targeted scams and identity exploitation.

Breach Impact

In April 2020 Tokopedia suffered a direct breach resulting in 15 million rows of user data being posted to a hacking forum, with an additional 76 million rows provided to Have I Been Pwned in July 2020. The combined corpus contained over 71 million unique email addresses alongside names, genders, dates of birth, and passwords stored as hashed values. Tokopedia acknowledged the breach, notified users, and mandated password resets. The incident prompted Indonesia's Ministry of Communication and Information Technology to investigate, though Indonesia at the time lacked a comprehensive data protection law equivalent to GDPR. No major settlement or enforcement action specific to this breach has been documented. Indonesia enacted its Personal Data Protection Law in 2022, subsequent to the breach.

About Tokopedia

Tokopedia is Indonesia's largest e-commerce marketplace, connecting millions of buyers and sellers across the archipelago on a platform that operates as both a marketplace and logistics network. Founded in 2009 and headquartered in Jakarta, the company was acquired by GoTo Group — formed through Tokopedia's merger with Gojek — in 2021. The platform serves as a primary digital commerce destination for Indonesian consumers and small businesses across the country's highly fragmented retail market.

Why They Hold Your Data

E-commerce platforms collect customer identity data, emails, passwords, purchase history, addresses, and payment-related information.

Recent Developments

Tokopedia has operated within the GoTo Group since the 2021 merger that combined it with ride-hailing and digital payments platform Gojek. GoTo Group listed on the Indonesia Stock Exchange in 2022. The combined entity has navigated significant profitability pressure and has undertaken cost reduction measures. Tokopedia merged with TikTok Shop Indonesia in late 2023, creating a major social commerce platform under GoTo and TikTok's joint venture.

Data Points Exposed

5 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Password Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Credential stuffing & account takeover

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Tokopedia breach?

Tokopedia, Indonesia's largest e-commerce marketplace, suffered a data breach in April 2020 that exposed the personal information of over 71 million users. The breach pathway was direct, meaning attackers accessed Tokopedia's systems without an intermediary. The method of intrusion has not been…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Gender, Password.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation