Users of a popular e-wallet platform are advised to take extra security measures following reports of an alleged data leak involving its operator.
The National Privacy Commission (NPC) on Monday, October 27, urged GCash account holders to “actively monitor their accounts, regularly update their MPINs and passwords, and enable additional security features to protect their information.”
MPIN stands for Mobile Personal Identification Number, a four-digit security code that users create to log in to their accounts and authorize transactions.
Other safety features of the e-wallet platform include the “Biometrics Login” option, which allows users to access their accounts using a fingerprint or facial recognition instead of a password or an MPIN.
GCash said this option “adds extra security” to the user’s account.
The NPC also advised e-wallet users to “remain alert to phishing attempts and refrain from sharing personal or sensitive data while the investigation is ongoing.”
The agency said it has “immediately launched an investigation” following reports on Sunday, October 26, of a data leak involving G-Xchange Inc., the operator of GCash.
The NPC said that a post on the dark web by a threat actor using the alias “Oversleep8351” claimed to be offering merchant and basic user data, GCash account numbers, linked bank and virtual card accounts, and KYC (Know Your Customer) records containing names, addresses, employment details, and valid Philippine IDs.
The agency added that its Complaints and Investigation Division has issued a Notice to Explain to G-Xchange Inc., requesting additional details about the alleged incident.
It also assured the public that an online clarificatory conference has been scheduled with the platform to facilitate a more in-depth discussion of the matter.
The NPC said that as of 10:30 a.m. on Monday, it had not received any official data breach notification from G-Xchange Inc.
“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” it said.
The agency added that it will provide updates “as soon as more information becomes available.”
GCash response
Meanwhile, GCash later confirmed that there was “no evidence of a data breach” following the circulating allegations.
“GCash is aware of an online post alleging that user information is being sold on the dark web. There is no evidence of any breach in GCash systems. All customer accounts and funds remain secure,” it said in a statement released hours after the NPC’s.
The platform said that, based on its cybersecurity experts’ investigation, the “alleged dataset does not match data from GCash systems.”
“Additionally, many entries are incomplete, invalid, or do not belong to GCash users. These findings strongly indicate that the data being circulated did not originate from GCash,” it said.
The platform assured users that it continues to “work closely” with the NPC, Bangko Sentral ng Pilipinas and the Cybercrime Investigation and Coordinating Center to monitor and validate information from all possible sources and ensure its systems “remain protected.”
“GCash remains fully committed to safeguarding customer data, strengthening our defenses, and upholding the trust of millions of Filipinos,” it said.
The alleged leak
On Sunday, a cybersecurity advocacy group reported that “GCash User Data” was allegedly being sold on the dark web, potentially affecting millions of accounts.
“A data leak allegedly involving G-Xchange/GCash has surfaced on a dark web forum. The post, made by a user named Oversleep8351, claims to be selling records from 2019 up to October 2025, including eKYC (Know Your Customer) information, linked bank accounts, and GCash numbers,” the Deep Web Konek said.
“According to the listing, the data includes both merchant and basic users — with personal details such as names, addresses, employment, and even valid Philippine IDs. The seller claims the dump contains up to 7–8 million users, offered in bundles priced up to $25,000, payable only through Monero (XMR) cryptocurrency,” the organization added.
“The forum post states that all data is ‘unorganized,’ meaning it must be sorted manually, and that the seller will only deal with ‘existing buyers’ from previous dark web transactions,” the Deep Web Konek said.
In the comments section, the organization said GCash had informed of the allegations and that it had “already coordinated” with the platform to investigate the reported data breach.
GCash is one of the Philippines’ largest e-wallet platforms, gaining popularity during the COVID-19 pandemic as cashless transactions became more common.
