Users' names, ID numbers, phone numbers, addresses, birth dates, gender, emails and occupations of the accounts were posted on Raidforums, a website that trades in stolen data.
Hackers said there was more info to be revealed, and whoever wanted them must pay to get it.
The two million accounts' info had actually been leaked onto a lesser-known Internet forum over a month ago, and was only recently moved to Raidforums last month, said an expert with a Hanoi-based cybersecurity firm.
The accounts might have been compromised either through a direct attack on the bank’s database, or someone from the bank might have leaked the information, the expert said. Victims of the leak "might be spammed with advertisements" as their emails and phone numbers were compromised.
The leak was a serious one, said Vo Do Thang, director of cybersecurity firm Athena.
"The fact that users' information is publicized like this is sensitive and dangerous [for victims], as they could lose money and face other risks at any time," he said.
"When a customer does transactions with the bank, they have put their entire faith in it. The bank also has the responsibility to protect all the properties of their customers. In case the bank fails to protect their users' account, the users can sue the bank," he said.
The only way for victims to protect themselves is to lock their bank accounts, he said.
MSB has said it is cooperating with the police in dealing with the incident.
Last year, over 5.4 million emails thought to be of customers and employees of retail giant The Gioi Di Dong were also leaked on Raidforums. The firm later asserted that its system had not been hacked and that the company did not store customers' card numbers and transaction times, so it was impossible for such information to be leaked from its system.
Tags: