Lazada security team discovered one on Thursday infringement in a database of its clients RedMart, the electronic goods delivery service. The company owned by Alibaba, said the stolen information contained in a database was at least 18 months old.
According to Lazada, the database was used by the most disabled application and RedMart website and was hosted by a third party service provider.
Lazada acquired RedMart in late 2016 and last March, integrated the goods delivery service into its own application.
In accordance with Channel News Asia of Singapore, which first reported the incident, the database data is available for sale in an illegal forum and include names, phone numbers, emails, and passwords from various e-commerce sites around the world.
CNBC could not independently confirm the content of the online forum. However, Lazada confirmed to CNBC that personal information 1,1 million RedMart accounts have been leaked.
Affected users logged out of their existing accounts and were asked to reset their password before logging in. Lazada also said it blocked access to the database immediately.
The company said it reported the incident to Committee on the Protection of Personal Data of Singapore. By law, companies are required to report supplies and affected individuals in the event of a data breach, if it concerns the personal data of 500 or more individuals.
On its website, Lazada said the affected database was not linked to any of its current databases.
As more people turn to online shopping after the coronavirus pandemic, the risk to their data security increases.