Temu denies being hacked or experiencing a data breach after a threat actor claimed to be selling a stolen database containing 87 million customer records.
The threat actor posted the alleged data for sale yesterday on the BreachForums hacking forum, along with a small sample as proof of the stolen data.
Temu states that it has examined and cross-referenced the samples with its database but found no matches.
Hacker claims to breach Temu
Temu, a rapidly expanding e-commerce platform, offers a diverse selection of products at competitive prices, specializing in affordable clothing, home goods, electronics, and accessories.
Although Temu is based in China, it operates globally, with notable success in Europe and the United States, where its deep discounts and promotional strategies have attracted widespread attention.
While Temu has faced scrutiny over issues related to data privacy, product quality, and shipping times, it has yet to be involved in a significant data breach incident.
Yesterday, a threat actor known as ‘smokinthashit‘ claimed to have stolen a database containing 87 million records from Temu and attempted to sell it to other cybercriminals.
The hacker released samples of the purportedly stolen data, which included usernames, IDs, IP addresses, full names, dates of birth, gender, shipping addresses, phone numbers, and hashed passwords.
Threat actor’s post on BreachForums
Source: BleepingComputer
Temu says it wasn’t breached
In response to BleepingComputer’s request for comment, Temu firmly denied that the published data is theirs and stated it would pursue legal action against those spreading misinformation.
“Temu’s security team has conducted a thorough investigation into the alleged data breach and confirms the claims are entirely false; the data being circulated does not originate from our systems. Not a single line of data corresponds with our transaction records,” Temu said.
“We take any attempt to damage our reputation or harm our users very seriously and reserve the right to take legal action against those responsible for spreading false claims and attempting to profit from such malicious activities.”
“At Temu, the security and privacy of our users are top priorities. We adhere to industry-leading standards for data protection and cybersecurity, ensuring that our platform remains a secure environment for shoppers.”
The e-commerce platform also emphasized its commitment to industry-leading data protection and cybersecurity practices, citing its MASA certification, independent audits, participation in the HackerOne bug bounty program, and compliance with the PCI DSS payment security standard.
Threat actor says the breach is real
BleepingComputer reached out to the threat actor regarding the alleged breach, and they continued to assert that they had breached Temu.
The threat actor claimed they still had access to the company’s email and internal panels, citing vulnerabilities in Temu’s code.
However, the threat actor did not provide any evidence to support these claims, and BleepingComputer has been unable to verify their validity.
Regardless of whether the breach claims are true, such allegations can still damage a company’s reputation and erode customer trust.
As a precaution, if you are a Temu user, it is advisable to enable two-factor authentication, update your password to something new and secure, and remain alert to potential phishing attempts.
BleepingComputer contacted Temu again for comment on these additional claims, but no response was immediately available.
Source: BleepingComputer, Bill Toulas
