A large dataset allegedly linked to Agoda, a Booking Holdings owned travel platform, has been offered for sale on a cybercrime forum, with claims that it contains 82 million customer records associated with Malaysian users. The listing is attributed to a threat actor identified as “hackboy” and is categorized as a data sale rather than a traditional system intrusion incident. Early analysis suggests the dataset may have been generated through web scraping activity instead of a direct breach of internal systems, based on structural indicators found in the sample records.
The threat actor claims the dataset includes approximately 82 million records, a figure that exceeds Malaysia’s adult population, raising questions about duplication across multiple scraping cycles, inclusion of broader regional users, or potential inflation of the dataset size. The sample data reportedly includes a “source” field pointing to Agoda city pages, along with an “extraction_date” of April 2026, reinforcing the assessment that the information may have been collected through automated extraction from publicly accessible Agoda web pages rather than obtained via unauthorized access to backend infrastructure. The presence of structured metadata fields further supports the possibility of large scale automated scraping activity.
The sample dataset is formatted in JSON and contains multiple personal and demographic fields per record. These include full_name, email, phone_number, ic_number corresponding to Malaysian national identity numbers also known as MyKad, address_raw containing full residential addresses, source referencing Agoda page URLs, extraction_date indicating when the data was collected, and status values such as VERIFIED. Reported sample entries include Malaysian names along with email domains such as yahoo.com.my, gmail.com, and hotmail.com, as well as +60 country code mobile numbers and detailed residential addresses spanning multiple Malaysian states including Selangor, Perak, and Pahang. The structure and completeness of the fields indicate a highly detailed aggregation of user related information.
The nature of the exposed data raises concerns due to the sensitivity of the included identifiers, particularly national identity numbers and full residential addresses. While scraping based origin reduces the likelihood of an internal system compromise, it does not eliminate privacy and security risks associated with large scale aggregation of personal data from publicly visible sources. The combination of structured identity information and contact details could still be leveraged for profiling, targeting, or misuse in downstream cybercrime activity. The unusually high record count compared to population benchmarks also highlights the possibility of repeated harvesting across multiple Agoda city pages or regional listings, which may have contributed to inflated dataset figures.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
