The National Privacy Commission (NPC) said on Monday, Oct. 27, that it has launched an investigation into a massive alleged data breach involving G-Xchange, operator of GCash, after a large cache of user data reportedly appeared for sale on a dark Web forum over the weekend.
According to cybersecurity monitoring group Deep Web Konek, the listing — posted on October 25, 2025, by a dark Web user identified as “Oversleep8351” — claims to contain sensitive personal and financial data of millions of GCash users, including both merchant and basic accounts.
The post, titled “G-Xchange/GCash (GXCHPHM2XXX) User Infos by виверна,” advertises access to massive data bundles allegedly extracted from GCash systems between 2019 and October 2025.
The seller’s post claims the dataset includes:
- Merchant and basic GCash user accounts
- G-Xchange/GCash account numbers
- Linked financial accounts, including virtual cards and bank connections
- Verified eKYC (Know Your Customer) records containing names, addresses, employment details, and valid Philippine IDs
The seller estimates that the compromised records span 7 to 8 million users, and offered the data in bundles for cryptocurrency payments via Monero (XMR) — a digital currency favored for its anonymity features.
The pricing reportedly ranged from $700 for 20,000 user entries to $25,000 for the full dataset.
Deep Web Konek noted that the files were described as “not organized,” requiring buyers to manually sort and query the data by account number or registration date.
The seller also stated that “sample data” would only be provided to verified, existing clients to prevent exposure and maintain “customer trust.”
If proven authentic, cybersecurity experts warn that the breach could expose millions of Filipinos to identity theft, phishing, and financial fraud, particularly given the inclusion of eKYC records with scanned or digital copies of government-issued IDs such as passports, driver’s licenses, or UMIDs.
Following reports of the alleged sale, the NPC issued a public advisory urging vigilance and confirmed it has initiated an official investigation.
“The NPC has immediately launched an investigation after a dark Web post appeared claiming to sell user information,” the agency said in a statement.
The post by “Oversleep8351,” it added, allegedly includes merchant and user data, GCash account numbers, linked financial accounts, and KYC records containing personal and employment information.
The Complaints and Investigation Division of the NPC has since issued a Notice to Explain (NTE) to G-Xchange to obtain details about the alleged breach, and an online clarificatory conference has been scheduled.
As of 10:30 a.m. on October 27, however, no official data breach notification has been received from the company.
The NPC warned that if investigations confirm a compromise, it will undertake regulatory and enforcement actions under the Data Privacy Act of 2012.
While awaiting verification, the NPC urged all GCash users to:
- Monitor their accounts closely for suspicious activity
- Regularly update their MPINs and passwords
- Enable all available security features
- Stay alert to phishing or social engineering scams
“The public is advised to exercise caution and refrain from engaging with or sharing unverified claims circulating online,” the NPC said, adding that verified updates will be issued as soon as more information becomes available.
In a media statement, GCash denied any data compromise, saying that initial forensic analysis found “no compromise in GCash systems; data under circulation does not match official records or customer information.”
“Initial findings show that the alleged dataset does not match the data structure used within GCash systems,” the company said, adding that the files included individuals who are not GCash users and contained incomplete or invalid information.
“These findings strongly indicate that the material being circulated did not originate from GCash,” the statement read.
GCash assured customers that “there is no evidence of any breach in GCash systems” and that all customer accounts and funds remain secure.
The company said it continues to coordinate with the Bangko Sentral ng Pilipinas (BSP), the National Privacy Commission (NPC), and the Cybercrime Investigation and Coordinating Center (CICC) to validate information and ensure system protection.
GCash also advised users to report suspicious activity only through official channels, including the GCash Help Center, chatbot Gigi in the GCash app, or the hotline 2882.
“GCash remains fully committed to safeguarding customer data, strengthening our defenses, and upholding the trust of millions of Filipinos,” it said.
This story has been updated to include the newly released statement from GCash
