Database of 380,000 E-Pay customers allegedly put on sale online for RM1,215

[ UPDATE 04/02/2021 18:15 ]: GHL Group has launched an investigation into the E-Pay data breach allegations. More details here.


Personal details of over 300,000 E-Pay customers appears to have been exposed online through a data breach. A threat actor was spotted selling a database of 380,000 customers on an data sharing forum for USD 300 (about RM1,215). That’s about 0.32 sen per user.

The sale was highlighted by @Bank_Security on Twitter and was recently shared by OMG Hackers.

From the sample record posted on RAID Forums, the database contain customer name, email address, hashed password, date of birth, full address including city and postcode and mobile number. If purchased, these details if legit can be misused for scam activities and 380,000 records is quite a significant size.

E-Pay users are urged to change their passwords immediately as a security measure. However, there’s nothing much affected users can do about the personal details that have been exposed.

E-Pay is known for providing prepaid top-up services for telcos which also include IDD cards and online game reloads. We’ve reached out the E-Pay and parent company GHL Group for further clarification and will update this post if there are further details.


Alexander Wong