Likely got issue on 2 sides

1) Grab - How could revenue harvest log into user account?

2) Revenue Harvest - This is where likely someone in the company that has access to api keys or customer data logged into the victims account to initiate the transfer.

I'm not surprised if revenue harvest outsourced some of their work to indonesia, which is quite a common practice.

I'm not too sure as well, but the pattern suggests it. Since not everyone's facing the problem, just a handful of people and revenue harvest is the common denominator. My guess would be the token being captured somehow by a POS/Terminal that the customer use grabpay to pay with. Websites "should" redirect to grab's servers so no token exchange in the process.

Would be a huge security flaw to allow tokens to be captured by 3rd party and for it not to be a single-use token. Grab has some accountability here as well.