The database, according to a tweet by Adnan Mohd Shukor, is claimed to contain details such as names, emails, mobile numbers and addresses, and is grouped by birth year from 1979 to 1998.
The data is claimed to be harvested from the National Registration Department (NRD) through the myIDENTITY API.
Adnan, an intrusion analyst, also tweeted that the 31.8GB file is being offered for sale for 0.2 BTC (RM35,350).
"I have a crawler running to monitor a few specific keywords. I got an alert yesterday morning and found this posting in a marketplace for database breaches and leaks," Adnan said in a phone interview.
Adnan said he has been on the lookout for this database, as it has been talked about by a number of sellers for the past few months.
"This is not the first time that such a database with details from NRD has leaked onto this marketplace.
“I believe this database is likely to be legitimate as I have sources who have said they have discovered similar findings," he claimed.
Adnan said he has informed the relevant parties about the discovery before going public on Twitter.
"I've reported previous findings before and felt that there was no progress. Instead, I got some disappointing responses.
“They were more concerned about how I found the database. As this is now public, I hope to see things change," he said.
Digital Forensics Research Society (DFRS) president Dr Aswami Fadillah Mohd Ariffin said “policies and technicalities” must address whatever incidences or cases happening on the ground.
“If not, digital transformation will not progress smoothly," he said.
Cybersecurity firm LGMS founder Fong Choong Fook said it's likely that the database is made up of information from past data breaches.
"I don't have access to the database, so what I can say is that the information can be found from various stashes on the Internet as we have suffered several rounds of data leak before," he said, pointing to the 2017 data leak involving 46 million mobile numbers as an example.
When contacted, CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Communications and Multimedia Malaysia Ministry, said it will not be issuing a statement for now, adding that the issue is under the jurisdiction of the Department of Personal Data Protection (JPDP).
NRD has yet to respond but said a statement will be released later.