Temu Denies Hacker's Claims of Breach Involving 87 Million User Records

Temu, a popular e-commerce platform, has denied allegations of a data breach after a hacker claimed to have stolen 87 million customer records. The threat actor posted a small sample of the alleged data on BreachForums, including personal details such as:

• Customer full names, dates of birth and gender
• Phone numbers and shipping addresses
• Usernames and IDs
• IP addresses and hashed passwords

If it were legitimate, this data could potentially be used for identity theft, phishing attacks, or account takeovers.

The breach allegations were made on Sept. 16. Temu swiftly responded by stating that a thorough investigation was conducted, and they found no match between the sample data and their own records.

According to the company, an internal investigation found no connection between the leaked data and its systems. Temu emphasized that it adheres to strict data protection measures, including compliance with the PCI DSS standard, an industry-recognized certification for securing payment data. Additionally, Temu highlighted its HackerOne bug bounty program, which encourages external security researchers to report vulnerabilities.

"Temu's security team has conducted a comprehensive investigation into the alleged data breach and can confirm that the claims are categorically false; the data being circulated is not from our systems. Not a single line of data matches our transaction records," Temu told BleepingComputer.

The company also threatened legal action against anyone who spreads false information, a strong stance to protect its reputation in a highly competitive market where customer trust is essential.

"We take any attempt to tarnish our reputation or harm our users extremely seriously and reserve the right to pursue legal action against those responsible for spreading false information and attempting to profit from such malicious activities," Temu added.

Despite Temu's stance, the hacker insisted he still has access to the online marketplace’s systems and pointed to vulnerabilities in Temu’s code. However, without further proof, these claims remain speculative. Nonetheless, the possibility of a breach, actual or not, leaves users in a precarious situation, unsure whether their personal information is safe.

Even if a data breach hasn’t been confirmed, users can still take measures to safeguard their accounts and personal information.

Here’s what you can do:

• Change your password. It's better to be on the safe side and change your Temu password. Make sure that the new password is strong and unique. You can also use a password manager to help you generate and manage all of your passwords.
• Enable 2FA to add an extra layer of security beyond the initial password you use to log in on the platform.
• Monitor your account activity. Check for suspicious activity as it could be a sign that your account is compromised.
• Be wary of phishing attempts. Even without a confirmed breach, hackers may attempt to exploit the situation by launching phishing campaigns. Be cautious of emails or messages asking for personal information or containing suspicious links.

Have a chat with Bitdefender Scamio, our AI-powered scam detector, to help you determine whether unsolicited messages or emails could be a scam. Simply describe the message or request, and Scamio will analyze the information and respond. Scamio is available on Facebook Messenger, WhatsApp, and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia, and the UK.

• Check for data breach alerts

Use Bitdefender’s Digital Identity Protection for:

- Instant Alerts: You can immediately react to data breaches and privacy threats and take swift action to prevent damage, such as changing passwords, via one-click action items.

- Real-time monitoring: The service continuously scans the internet and dark web for your personal information. You will receive alerts whenever your data is involved in a breach or leak.

- Peace of mind: This service immediately flags suspicious activity and actively monitors personal information for peace of mind.

- A 360° view of all your personal data: See your digital footprint, including traces from services you no longer use but that still have your data, and even send requests for data removal from service providers.