A massive database that was apparently sourced from the Election Commission (EC) MySPR system has been put on sale at a well-known database marketplace. Said to contain more than 800,000 users, the database also includes pictures of selfies and MyKad which was part of the system’s Electronic Know Your Customer (eKYC) implementation.

Before we go further, here is a refresher: members of the public were able to register themselves as voters online when the MySPR Daftar website was launched in 2019. With the implementation of automatic voter registration earlier this year though, MySPR Daftar can be deemed obsolete but it does not mean that EC has abandoned the system.

Voters still have to utilize the MySPR online system if they want to change their voting address. Similarly, Malaysian citizens that reside outside of the country as well as eligible members of security forces and related frontline agencies that have to be on duty during election day also need to use the system to apply for a postal vote.

MySPR Online System
As captured at MySPR registration website at 10:45 PM today.

As part of the registration process, users need to submit a picture of their MyKad alongside a selfie of them holding the card for eKYC-based verification. This also applies to the members of the Malaysian Armed Forces (ATM) and Royal Malaysian Police (PDRM) although they have to show their army or police ID instead.

As highlighted by Twitter user @acaiijawe, the seller claimed that the database also includes plenty of other details such as full name, ID number, e-mail address, birth date, hashed password, and full address. In addition to that, it also contained more than 1.6 million eKYC images with a total file size of 67GB.

For this particular treasure trove, the seller is asking for around RM9,401 (USD2,000) although they specifically requested to be paid in either Bitcoin or Monero cryptocurrencies. The seller also claimed that they are in possession of the full electoral roll with details of 22 million voters although the listing focused solely on the MySPR online system’s eKYC data.

Even though @acaiijiwe’s tweet went viral just yesterday, the listing took place way back in April according to our own visit to the database marketplace. In fact, MySPR database was listed much earlier than the database belonged to the National Registration Department (JPN) which was actually done by the same seller and caused a huge commotion back in May.

MySPR / JPN Database Leak
The listing date of the MySPR and JPN database, as captured at 11:15 PM today.

Despite it being listed seven months ago, the MySPR thread is still generally active as the seller’s last thread bump took place yesterday. It is not known whether the EC is aware of this listing but regardless of that, it is rather concerning to see that the seller is not only still on the loose despite the JPN’s episode but they are also still actively looking for buyers.

The post MySPR Database With 800,000 Users Is Being Sold Online: Contains Selfies and MyKad Images appeared first on Lowyat.NET.