A number of netizens claimed that they have received unrequested OTP codes for registration with MySejahtera in the early hours of the morning on Tuesday, 19 October
The text message reads: "RM0 MySejahtera: Your OTP No. is [redacted] for MySejahtera check-in registration and will expire in five minutes."
All the netizens stated that they did not request for the number or try to login or register with MySejahtera at the time as most of them were fast asleep.
The incident has sparked data security concerns
Many users worried that the app was hacked and wondered if their personal information was stolen or leaked.
Those on Twitter tagged the accounts of MySejahtera, the Ministry of Health (MOH), and Health Minister Khairy Jamaluddin in their posts, asking for clarification on the matter.
Meanwhile, in a development today, 20 October, social media users shared that they are receiving joke emails from the MySejahtera Helpdesk
Among several other Twitter users, Malay Mail news editor Zurairi AR tweeted that he received troll emails from the app's official email domain this morning and a few days ago.
The email he received today contains his MySejahtera ID as well as the message: "You've tested positive for covid nahhh, joking. Plenty of exploits to show. Regards, CPRC MOH."
Meanwhile, an earlier email came with a photo of Rick Astley on Sunday, 17 October.
Zurairi also shared that netizens in online forum Lowyat.NET have recently discussed how simple it was to instruct MySejahtera to send spam to others with a backend code.
At present, there has not been a public response from MySejahtera or MOH regarding the matter
However, according to Malay Mail, the MySejahtera team released a statement to the media today, 20 October, revealing that their app's check-in QR registration feature was misused by "malicious scripts" to send OTPs to mobile numbers.
The team assured users that their data was not accessed by the scripts and the issue will be fixed by tonight. They have yet to address the troll emails.
Last month, it was alleged that almost four million citizens' data from the National Registration Department (JPN) was breached: