The leak was posted on Raidforums, a forum where hacker data leaks are often posted and offered for sale, by an account named Ox1337xO on Thursday. The account reportedly revealed possession of a large amount of Know Your Customer (KYC) data: 17 GB of Vietnamese ID card information, including faces, addresses, phone numbers and emails .
It is estimated that a 1.4 GB file contains the information of 3,600 people.
The account put the files up for sale for $ 9,000, to be paid for via Bitcoin or Litecoin.
A cybersecurity expert said he contacted the account, which claimed the 17GB of data contained information on up to 10,000 Vietnamese.
The information in an ID card could be used to open multiple accounts, including those in communications and finance, which could prove to be “inconvenient,” said Pham Tien Manh, a cybersecurity expert based in Hanoi.
Vo Do Thang, director of cybersecurity company Athena, said there is nothing ordinary users can do to protect their data. Responsibility now lies with whoever left the leaked data in the first place, he added.
In the comments section of Raidforums, the Ox1337xO account admitted to accessing data through Pi Network, a digital currency platform that hosts the ‘Pi’ currency. The platform has raised concerns about its transparency as it does not release its own source code.
âIf it was really Pi who leaked the data, I will consider leaving behind the ‘Pi’ coins that I won,â said Ngoc Nam, a new user of the âPiâ mining scene.
However, other miners believe the leaked data could not have come from Pi Network, as the platform does not directly verify its users’ information or request photos of ID cards.
Phien Vo, a moderator of a group discussing Pi Network, which has more than 70,000 members in Vietnam, said it was not correct to say that it was Pi Network that leaked the data because the platform -form processed KYC data through another third-party system called Yoti, a digital identity verification site. Yoti accepts ID cards from 62 countries and territories, but the list does not include Vietnam, he added.
âTo perform KYC verification on Pi Network, Vietnamese would need to use their passports. Only some users who used earlier versions of Pi could perform KYC verification using their driver’s license, but so far the system has not yet accepted Vietnamese ID cards, âhe said.
On Monday, the cybersecurity division of the Ministry of Public Security opened an investigation into the incident. A representative said authorities were trying to find out where the leak came from and how the information was disclosed.
For An Xo, office manager of the Ministry of Public Security, the leaked data could be funneled abroad and put up for sale online due to the fact that many services require identity verification.
On Sunday, the original data breach thread on Raidforums was deleted.
This is not the first time that Vietnamese have experienced a major online data breach. Earlier this year, around 300,000 Vietnamese data profiles, including full names, addresses and phone numbers, were also leaked on the Raidforums.