Following the advisory from the Philippine National Privacy Commission (NPC) and confirmation from lending app Cashalo, the privacy watchdog released its initial findings that data 3.3 million users were sold on the dark web.

The dark web is a part of the internet that is not accessible to just about anyone. Only people who are familiar with Tor, an anonymizing search engine, can navigate the dark web.

In its initial statement Sunday posted on its pages, Cashalo said, “Our encryption implementation ensured that no customer accounts or passwords were compromised.”

Lending app Cashalo reports data breach

NPC recommends prosecution of online lending company for data privacy violation

NPC cited a user who goes by the “creepxploit” sold the data containing usernames, passwords, e-mail addresses, phone numbers, and device identifications on the dark web as shared in a post on cybleinc.com and RaidForums. These pieces of information were said to have been in cyber forums since Feb. 14.

Cashalo, operated by Oriente Express Techsystem Corp., reported the data breach to the NPC on the evening of Feb. 19 via email.

NPC said the uploader “even provided sample data for potential buyers.”

“In light of this, NPC is addressing the public that from this breach notification received, the Commission intends to do further monitoring and investigation in cooperation with the parties involved — upholding its mandate in protecting personal information of data subjects,” the NPC said.