Tokopedia, New Hampshire BizHwy and others fall victim of data leaks.
13 December 2020BREACHAWARE HQ
A total of 5 breach events
were found and analysed resulting in 81,331,146 exposed accounts
containing a total of 6 different data types of personal datum
. The breaches found publicly and freely available included Tokopedia, New Hampshire BizHwy, Larevue du Practicien, Minnesota BizHwy and Peters. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Socia-Demographic Data.
Data Breach Analysis
The breached entities span several sectors, e-commerce (Tokopedia), business directories (BizHwy New Hampshire and Minnesota), medical publishing (La Revue du Praticien), and a less-defined platform or service associated with the name ‘Peters.’This breach set is notable not only for its sheer volume, over 81 million records, but also for its varied sources, covering everything from Southeast Asian retail giants to niche professional services and healthcare-related content. The inclusion of multiple types of platforms with differing user intents (shopping, professional networking, information access) raises concerns about the cross-contextual value of leaked data, particularly for actors looking to build composite identities or tailor phishing campaigns by sector.
Tokopedia is one of Indonesia’s largest online marketplaces, often compared to Amazon for its scale and centrality in regional commerce. Given Tokopedia’s role in a financially active ecosystem, including online banking integrations, digital wallets, and third-party seller accounts, its user data is attractive not just for account takeover but for financial fraud and identity replay attacks across Southeast Asia.
BizHwy is a business listing and directory service aimed at small and medium sized enterprises (SMEs). The inclusion of both New Hampshire and Minnesota BizHwy records suggests multiple regional snapshots were obtained, either from the same database or from segmented sources.
While these details may seem relatively mundane, they provide high-fidelity targeting material for business to business (B2B) fraud attempts, particularly in the form of:
- Fake vendor invoices
- Business email compromise (BEC) setups
- Phishing tailored to regional regulations or events
Moreover, SME directories are often less fortified than their corporate counterparts, making them attractive pivot points for initial access brokers looking to infiltrate larger supply chains.
La Revue du Praticien is a long-standing French medical journal aimed at physicians and healthcare professionals. Breached records tied to this entity likely include users subscribed to digital editions or involved in continuing medical education (CME).
While patient data is not involved, this leak raises concerns about professional identity exposure. For example, impersonating a known medical professional or simply using a valid hospital-associated email domain, can lend credibility to malicious campaigns targeting hospitals, clinics, or medical suppliers.
Moreover, such datasets may be used to generate credible fake profiles on professional platforms, or to compromise accounts that are reused across journal access, hospital portals, or medical procurement systems.
The listing of “Peters” remains somewhat ambiguous without more context. It could refer to a software platform, a business entity, or even an internal identifier for a now-defunct service. In breach datasets, vague or mismatched labels often appear due to partial leaks, archival naming, or aggregated sources.
Regardless, its inclusion in a breach set of this size suggests:
- Either a large volume of users associated with the name
- Or a critical overlap with other known records
Even if Peters represents a smaller or more obscure source, data correlation across platforms allows attackers to identify common users and build higher-confidence identity profiles. This cumulative exposure risk is a defining characteristic of modern breach ecosystems.
Six Data Types and Composite Identity Risk
The data types, in aggregate, enable more than just phishing. They support:- Credential stuffing
- Identity correlation (across breaches or platforms)
- Social engineering
- Reputation-based attacks (e.g., impersonation of professionals or businesses)
The inclusion of business information and professional credentials alongside consumer data expands the attack surface significantly, blurring the line between corporate and personal risk.
Public Availability: A Lower Barrier to Attack
Perhaps most worrying is the public and freely accessible nature of this data. When data is sold on private forums or restricted markets, the threat actor pool is somewhat limited to buyers and vetted criminals. When data is dumped openly, it becomes a tool for:- Amateur hackers and script kiddies
- Disinformation actors
- Harassment campaigns
- Credential re-users running automated tools
This flattening of access turns what might otherwise be high-value intelligence into mass-market weapons for any internet-connected device.
Conclusion
With over 81 million leaked records, this breach set is among the larger ones in public circulation. More than just a data dump, it reflects the interconnectedness of personal, commercial, and professional identities online. From Tokopedia’s high-transaction retail base to the niche business and medical communities represented in BizHwy and La Revue du Praticien, this dataset offers an expansive canvas for exploitation.Moreover, the variety of sectors, commerce, healthcare, small business, demonstrates the multi-vector threat landscape that emerges from breaches of this nature. No single platform may seem catastrophic in isolation, but in aggregate, they feed a thriving underground economy of identity, access, and manipulation.