PETALING JAYA: The MySejahtera team is investigating an incident where unsolicited one-time password (OTP) messages were sent to random phone numbers.

       In a brief statement, the team said it had received complaints through the MySejahtera app helpdesk and social media channels about the incident, where an unsolicited OTP message was sent to verify random users’ phone numbers for check-in QR registration, which is meant for business premises.

       “The MySejahtera team has investigated and found that the check-in QR registration feature meant for business premises was misused by some malicious scripts to send OTP to random phone numbers,” it said on Wednesday (Oct 20).

       Although random phone numbers were spammed to verify their numbers, the team gave an assurance that no user data was accessed by the “malicious scripts”.

       The team also apologised for the inconvenience and added that it has since blocked MySejahtera's application programming interface (API) endpoints to facilitate a security enhancement fix later at night.

       An API refers to the coding platform that allows two software programmes to communicate.

       An API endpoint is where it connects with the software programme. APIs work by sending information requests from a web application or server and receiving a response.