After unsolicited OTP text messages, MOH says MySejahtera's API ‘misused’ but no data breach

Housewife Kamisah Sies uses the MySejahtera app in Kuala Lumpur September 23, 2021. ― Picture by Miera Zulyana
Housewife Kamisah Sies uses the MySejahtera app in Kuala Lumpur September 23, 2021. ― Picture by Miera Zulyana

Follow us on Instagram and subscribe to our Telegram channel for the latest updates.


KUALA LUMPUR, Oct 20 — The Ministry of Health (MOH) today explained that no leaks were discovered in the MySejahtera user database and that the issue was only linked to an abuse of the app’s Application Programming Interface (API).

In a statement today, the ministry explained that in MySejahtera website, there is a feature or a check-in function for businesses, premises public transport and others, to obtain and display the MySejahtera QR Code, and to complete the application, the applicant, among others, must enter information such as email address or telephone number to obtain a one-time password (OTP).

“Based on initial investigations and necessary actions carried out by the National Cyber Security Agency (Nasca), the sending of fake emails and SMS is due to the abuse of the API (Application Programming Interface) and not a leak in the MySejahtera database.

“The MySejahtera check-in QR code registration application function has been misused by irresponsible parties. The party used the email addresses or telephone numbers randomly to perform the registration process. If the telephone number or email address entered at random exists, MySejahtera will send an OTP to the owner of the telephone number or email address to confirm the registration,” the statement read.

MOH said that in addition, the ‘Need Help?’ function in the same website was also misused to send spam emails randomly. 

“Following this irresponsible action, the MySejahtera team has further increased the security level of the MySejahtera application and website to prevent the same incident from recurring. For your information, for now, the application and MySejahtera website is under the joint management of the MOH and the National Security Council (NSC),” MOH said.

Earlier today, the MySejahtera team revealed that its check-in QR registration feature was misused by “malicious scripts” to send OTPs to mobile numbers.

The team responded after an increased number of complaints were registered through its helpdesk and social media platforms, on unsolicited OTP messages being received, some in the early hours of the morning.

The team, however, assured users that their data was not accessed by the scripts and that the issue will be fixed tonight.

Though the statement only addressed issues with text messages, several users also highlighted that they had received similar spam emails from account linked to MySejahtera: [email protected] and [email protected].

Some had received images of singer Rick Astley from his music video Never Gonna Give You Up.

The emails also came with an attached message reading: “Dear user, thank you for reaching out to MySejahtera Helpdesk. We have received your email and confirm your details as below. We shall investigate your request and due to high surge of traffic at helpdesk, we will get back to you within the next 5 days.Thank you for your patience & have a pleasant day ahead.”

Another user shared a screenshot of him receiving a prank email from MySejahtera, informing him that he had tested positive for Covid-19.

“You’ve tested positive for Covid nahhh, joking, plenty of exploits to show,” the email titled ‘MySejahtera Check-in Support-Health Assessment’ read.  

You May Also Like

Related Articles