A dark web forum post by user 'Oversleep8351' claimed to sell a dataset containing 7–8 million GCash user records, including merchant/basic accounts, GCash account numbers, linked financial accounts (virtual cards, bank connections), and verified eKYC records (names, addresses, employment details, and scanned Philippine government IDs like passports, driver’s licenses, or UMIDs). The data, allegedly extracted between 2019 and October 2025, was offered in bundles priced from $700 (20,000 entries) to $25,000 (full dataset), payable in Monero (XMR) for anonymity. While GCash denied a breach—citing forensic analysis showing no match with official data structures and the presence of non-users/invalid entries—the National Privacy Commission (NPC) launched an investigation, issuing a *Notice to Explain* to G-Xchange. Experts warned of risks like identity theft, phishing, and financial fraud if the data is authentic. The NPC advised users to monitor accounts, update credentials, and enable security features, though no official breach confirmation was made by GCash as of the report.
TPRM report: https://www.rankiteo.com/company/wearegcash
"id": "wea1963019102725",
"linkid": "wearegcash",
"type": "Breach",
"date": "6/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '7-8 million (alleged)',
'industry': 'Digital Payments / Mobile Wallet',
'location': 'Philippines',
'name': 'G-Xchange, Inc. (GCash)',
'type': 'Financial Technology (FinTech) Company'}],
'customer_advisories': ['Monitor accounts closely for suspicious activity',
'Regularly update MPINs and passwords',
'Enable all available security features',
'Stay alert to phishing or social engineering scams',
'Refrain from engaging with unverified claims'],
'data_breach': {'data_exfiltration': 'Alleged (data offered for sale on dark '
'web)',
'file_types_exposed': ['Unorganized data bundles (requires '
'manual sorting by account number or '
'registration date)'],
'number_of_records_exposed': '7-8 million (alleged)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes personally '
'identifiable information and '
'financial data)',
'type_of_data_compromised': ['GCash account numbers',
'Linked financial accounts '
'(virtual cards, bank '
'connections)',
'eKYC records (names, addresses, '
'employment details, Philippine '
'IDs such as passports, driver’s '
'licenses, UMIDs)',
'Merchant and basic user account '
'details']},
'date_detected': '2025-10-25',
'date_publicly_disclosed': '2025-10-27',
'description': 'The National Privacy Commission (NPC) launched an '
'investigation into a massive alleged data breach involving '
'G-Xchange, operator of GCash, after a large cache of user '
'data reportedly appeared for sale on a dark Web forum. The '
"seller, identified as 'Oversleep8351,' claimed the dataset "
'includes sensitive personal and financial data of 7-8 million '
'GCash users, including merchant and basic accounts, '
'G-Xchange/GCash account numbers, linked financial accounts, '
'and verified eKYC records. The data was offered in bundles '
'for cryptocurrency payments via Monero (XMR), with pricing '
'ranging from $700 for 20,000 entries to $25,000 for the full '
'dataset. GCash denied any data compromise, stating initial '
'forensic analysis found no match with official records.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'alleged breach and dark web sale of '
'user data',
'data_compromised': True,
'identity_theft_risk': 'High (eKYC records with government-issued '
'IDs exposed)',
'legal_liabilities': 'Investigation by National Privacy Commission '
'(NPC) under the Data Privacy Act of 2012; '
'potential regulatory actions if breach is '
'confirmed',
'payment_information_risk': 'High (linked financial accounts, '
'virtual cards, and bank connections '
'exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['GCash user databases '
'(2019–October 2025)']},
'investigation_status': 'Ongoing (NPC investigation launched; GCash '
'conducting forensic analysis)',
'motivation': ['Financial Gain', 'Data Exfiltration for Resale'],
'recommendations': ['Users: Monitor accounts for suspicious activity, update '
'MPINs/passwords, enable security features, avoid '
'phishing scams',
'Company: Continue forensic validation, strengthen '
'defenses, maintain transparency with regulators and '
'customers',
'Regulators: Expedite investigation to confirm or debunk '
'breach claims, enforce compliance if violations are '
'found'],
'references': [{'date_accessed': '2025-10-27',
'source': 'National Privacy Commission (NPC) Public Advisory'},
{'date_accessed': '2025-10-25',
'source': 'Deep Web Konek (Cybersecurity Monitoring Group)'},
{'date_accessed': '2025-10-27',
'source': 'GCash Media Statement'}],
'regulatory_compliance': {'legal_actions': ['NPC investigation under Data '
'Privacy Act of 2012; potential '
'enforcement actions if breach '
'confirmed'],
'regulatory_notifications': ['NPC issued Notice to '
'Explain (NTE) to '
'G-Xchange',
'Online clarificatory '
'conference '
'scheduled']},
'response': {'communication_strategy': {'company_statement': 'GCash denied '
'breach, assured '
'customers of '
'system '
'security, and '
'advised '
'reporting '
'suspicious '
'activity '
'through '
'official '
'channels',
'public_advisory': 'NPC issued '
'warnings to GCash '
'users (monitor '
'accounts, update '
'MPINs, enable '
'security '
'features, avoid '
'phishing scams)',
'regulatory_notification': 'NPC '
'issued '
'Notice to '
'Explain '
'(NTE) to '
'G-Xchange '
'and '
'scheduled '
'clarificatory '
'conference'},
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Forensic analysis to validate data '
'authenticity',
'Coordination with regulatory bodies'],
'third_party_assistance': ['Bangko Sentral ng Pilipinas (BSP)',
'National Privacy Commission (NPC)',
'Cybercrime Investigation and '
'Coordinating Center (CICC)']},
'stakeholder_advisories': ['NPC urged vigilance and issued guidance for GCash '
'users',
'GCash advised users to report suspicious activity '
'through official channels (Help Center, Gigi '
'chatbot, hotline 2882)'],
'threat_actor': {'alias': 'Oversleep8351', 'dark_web_handle': 'виверна'},
'title': 'Alleged Massive Data Breach Involving G-Xchange (GCash) User Data '
'Sold on Dark Web',
'type': ['Data Breach', 'Dark Web Data Sale']}