Payments made via financial services platform Toss using stolen data earlier this month have placed the fintech unicorn in the hot seat. Toss has stated this was not a cybersecurity breach, but concerns are rising over the platform’s ability to detect suspicious transactions, resulting in customers leaving the company.

Toss did not provide details but conceded Tuesday it has seen customers leave the platform over concerns related to the incident, after reports surfaced on the case that took place last week. Even if it wasn’t a hacking incident, customers appear to feel uneasy, as it is unknown how the data was obtained.

A total of 9.38 million won in payments were made June 3 on three websites, including a game company, using stolen data of eight Toss customers. A police investigation is ongoing to find out who made the payments.

Four of the eight customers reached out to Toss after finding out about the payments. Toss said it was able to find four more customers whose data was stolen to make payments on the same websites.

Toss said it paid back each of the customers the amounts of money paid with the stolen data June 4, the day after the incident.

The payments were made on websites for which the payment process was simplified ― requiring only a name, phone number, date of birth and password.

A Toss spokeswoman said Tuesday this “web payment” system was changed for the three websites where the payments in question were made.

“We changed the payment system for the three websites to an application payment system, which checks if the actual owner of the account is making the payment,” she said.

The “web payment” system is applied to about 30 businesses affiliated with merchants partnering with Toss. The spokeswoman said Toss will review whether to change the payment system for all other businesses.

Some say the simplified payment system enabled stolen data to be utilized, as payments can be made with only a few personal details and five-character password.