THERE is no data breach or theft from the MySejahtera application, said Khairy Jamaluddin.

“There was, however, an abuse of the API (application programming interface),” said the minister during a press conference today.

“The Ministry of Health has identified the weaknesses where the API was manipulated to send out text messages and emails to users.

“But we have identified the weaknesses and already corrected them yesterday,” he added.

In addition to that, Khairy said that MySejahtera will implement a manual system for users to key in their phone numbers to “close the backdoor” to the API.

Khairy was responding to questions on MySejahtera users being spammed by email from the application’s helpdesk yesterday. 

Users, who received the messages, posted their complaints and screenshots of the emails on Twitter.

Some of the spam email read: “You’ve tested positive for covid nahhh, joking. Plenty of exploits to show.”

Besides the spam email, some users also complained about receiving one-time password (OTP) messages to verify their MySejahtera check-ins into premises. 

According to the MySejahtera team, the OTP messages were sent following an abuse of the  check-in QR registration feature meant for business premises. – October 21, 2021.