No data leak, MySejahtera check-in QR code and helpdesk abused by irresponsible parties, says MoH

KUALA LUMPUR (Oct 20): Following complaints from several MySejahtera users about receiving troll emails and spam SMS messages with one-time passwords (OTPs) from the Covid-19 app's helpdesk, the Ministry of Health (MoH) has confirmed that there is no leak in the MySejahtera database.

"The ministry has received complaints through the MySejahtera helpdesk and social media about the OTP message to confirm the user's phone number for MySejahtera check-in QR code registration and spam emails from the MySejahtera helpdesk.

"Based on the initial investigation and actions taken by the National Cyber Security Agency (NACSA), the sending of the fake emails and SMSs is due to misuse of the API (application programming interface) and not a leak in the MySejahtera database," the ministry said in a statement on Wednesday.

An API refers to the coding platform that allows two software programs to communicate.

An API endpoint is where it connects with the software program. APIs work by sending information requests from a web application or server and receiving a response.

On the MySejahtera website, there is a MySejahtera Check-In Registration feature that allows businesses, establishments, public transportation, and others to obtain and display the MySejahtera QR code. To complete the registration, an applicant must enter information such as their email address or phone number, among other things, to receive an OTP.

Following the complaints received, the MySejahtera team conducted an initial investigation. The team found that the function of the MySejahtera Check-in QR Code Registration application was misused by irresponsible parties. These parties used a random email address or phone number to complete the registration process.

The MoH said that if the phone number or email address was entered randomly, MySejahtera will send an OTP to the owner of the phone number or email address to confirm the registration.

In addition, the ministry noted that the Need Help feature on the same website was also misused to send random spam emails.

“Following this irresponsible action, the MySejahtera team has further increased the security level of MySejahtera's applications and websites to prevent such an incident from happening again,” the ministry added.

The MySejahtera application and website are currently jointly managed by the MoH and the National Security Council (MKN).

Get the latest news @

Subscribe to our Telegram channel for the latest stories and updates 

Click here for more property stories

Like our content? Check out Narratives – where we curate stories based on topics to keep you well and broadly informed about Malaysian real estate.

Looking for property? Check out Location Scan, where we summarize all available options and facts you need in a few clicks. We have updated the tool to include MRT3 stations too.

Curious how much you can borrow? Use LoanCheck to get your maximum loan eligibility from various banks, or LoanReport to get a FREE CTOS/CCRIS credit report.
  1. Malaysia's Covid-19 R-nought back to 1.0 — first time since August
  2. MoH estimates up to 200,000 backlog surgeries due to pandemic
  3. MySejahtera app administrator apologises for home surveillance order, person under surveillance errors