Share this article on:
Major Chinese-operated digital marketplace Temu has confirmed that claims it suffered a cyber attack or data breach after a threat actor listed the company on BreachForums were false and that its network was not breached.
Earlier this week, a threat actor going by the name “smokinthashit” posted what they claimed to be a Temu company database containing 87 million records of customer data.
Within the listing, the threat actor posted what it claimed to be sample data, which contained usernames, IDs, full names, shipping addresses, birth dates, phone numbers, IP addresses, and censored passwords.
However, speaking with Cyber Daily, Temu said the breach claims are false.
“Temu’s security team has conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false; the data being circulated is not from our systems. Not a single line of data matches our transaction records,” the company told Cyber Daily
“We take any attempt to tarnish our reputation or harm our users extremely seriously and reserve the right to pursue legal action against those responsible for spreading false information and attempting to profit from such malicious activities.
“At Temu, the security and privacy of our users are paramount. We follow industry-leading practices for data protection and cyber security, ensuring that consumers can shop with peace of mind on our platform.”
In a later update to Cyber Daily, Temu also said that the threat actor was removed from Breach Forums for trying to sell publicly available data.
"The threat actor has been banned on BreachForums for misrepresenting and attempting to sell data that was already publicly available."
Temu added that its dedication to security has been proven through a number of certifications and measures such as its MASA certification from DEKRA, use of two-factor authentication, its membership in the Anti-Phishing Working Group, the fact it follows PCI DSS standards when it comes to payment security, and its vulnerability identification partnership with HackerOne.
Temu has had its privacy standards brought into question in the past, having last year faced a class-action lawsuit that alleged the company was using malicious spyware to collect data from its users.
According to the class action, Temu violated US federal wiretap laws with its “clandestine tracking activities”, which saw the company profit from its illegal collection of customer data, which resulted in marketing that was more targeted to the consumer.
Allegedly, Temu was able to monitor the offsite activity of its customers by injecting JavaScript code for spyware in websites that users visit from the Temu website. Data collected in the process includes names, addresses, email addresses, phone numbers, biometric data, Social Security numbers, and credit card and financial information, according to the class action.
Additionally, legal teams representing plaintiff Eric Hu have said that Temu failed to meet a standard of cyber security, putting customer data at risk of being stolen by threat actors. The company has been accused of cutting corners with its cyber security in an effort to lower expenses.
Update, 23/09/24: Temu confirmed with Cyber Daily that the data breach claims were false and the threat actor claiming to have breached its network was banned by BreachForums for the false claims.