Overview
In late October 2025, reports emerged of a potential massive data breach involving GCash, the Philippines’ largest mobile wallet with over 94 million users. A dark-web post allegedly offered millions of user and merchant records spanning 2019–2025 for sale, raising serious concerns over data privacy and cybersecurity. While the National Privacy Commission (NPC) has begun a formal investigation, GCash firmly denies any breach, asserting that its systems remain secure.
The Alleged Breach: What Happened
The alleged leak first surfaced on dark-web forums, where a user identified as “Oversleep8351” claimed to sell millions of GCash account records. The dataset purportedly included account details, linked bank information, and eKYC data such as names, addresses, and valid IDs.
Despite these alarming claims, GCash maintains that no breach occurred, stating that the circulated data “did not originate” from its systems. The company’s cybersecurity review found the dataset structure inconsistent with its internal data formats and containing incomplete or fake entries.
GCash’s Official Statement
GCash, operated by G-Xchange, Inc. under Globe Fintech Innovations (Mynt), released an official statement saying:
“There is no evidence of any breach in GCash systems. All customer accounts and funds remain secure.”
The company added that it launched an internal investigation immediately upon learning of the reports and is working closely with the NPC, Bangko Sentral ng Pilipinas (BSP), and the Cybercrime Investigation and Coordinating Center (CICC). GCash also reiterated its commitment to safeguarding user data and strengthening its cybersecurity defenses.
NPC and Government Response
On October 27, 2025, the National Privacy Commission issued a Notice to Explain to G-Xchange and opened a clarificatory conference to investigate the matter. The NPC clarified that it had not received any official breach notification from GCash as of that date.
If proven, violations under the Data Privacy Act of 2012 could result in fines up to ₱5 million and possible criminal penalties. The NPC urged users to stay alert, update their passwords and MPINs, and verify all communications directly from official GCash channels to avoid phishing scams.
Other government bodies — including BSP and DICT — are also monitoring the case closely, emphasizing the need for transparency and improved cybersecurity measures within the fintech industry.
What Users Should Do
While investigations continue, experts and regulators recommend that all users:
- Change passwords and MPINs immediately to enhance account security.
- Enable biometric logins such as fingerprint or facial recognition for added protection.
- Avoid responding to suspicious messages or links that exploit the data breach scare.
- Monitor account activity regularly and report anomalies via official GCash support channels only.
Looking Ahead
As of this writing, no confirmed evidence of a data breach has been released. GCash’s systems remain operational, and both the company and the NPC have pledged to release updates as new information becomes available.
Regardless of the investigation’s outcome, the incident underscores the critical importance of cybersecurity vigilance in digital finance — especially for platforms serving millions of Filipinos.
👉 Follow and like TechPipino on Facebook for accurate updates, expert insights, and unbiased coverage on Philippine tech and cybersecurity news.
FAQs
1. Was GCash really hacked?
As of now, GCash and the NPC have not confirmed any verified breach. GCash maintains that the leaked data is not from its systems.
2. What data was allegedly leaked?
The dark-web post claimed to include account numbers, eKYC information, and transaction data, though these claims remain unverified.
3. What should GCash users do right now?
Users should change their passwords and MPINs, monitor transactions, and stay alert for phishing attempts while awaiting official updates.
