Carousell confirms data breach, 1.95m accounts reportedly impacted

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Carousell Singapore recently faced a data breach on 14 October, with approximately 1.95 million accounts being compromised. According to The Straits Times, this formed 39% of its user accounts in Singapore. The Personal Data Protection Commission (PDPC) has also been alerted of the situation and has began investigations, ST reported.

As of now, only registered email addresses have been exposed. Carousell reassured users in an email that no credit card and payment-related information was compromised in this incident, especially for consumers that have used its in-app payment feature either as a buyer or seller. "Based on the type of data that was affected, it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number," the company said.

Carousell explained that a bug was introduced during a system migration and was used by a third-party to gain unauthorised access to personal data of some users. The company has taken actions and has fixed the bug to prevent any further unauthorised access to personal information. The team is also working on security enhancement features to better protect users and prevent similar events from happening in the future.

However, it explained that a potential risk of having one's mobile number and/or email address shared that users would be more susceptible to a phishing attempt. The company urged users to be on alert and to keep a look out for SMSes or emails sent to them from unknown sources especially those with foreign links. Carousell is also actively assisting PDPC in investigations. "We are deeply sorry for this incident and fully understand that this is concerning news," the company said.

The team has implemented active alerting on any change of behaviour in its critical Application Programming Interfaces. In addition, it is adding automated and manual review processes for any external APIs that may be using personal identifiable data to ensure this data is not provided by the APIs to unauthorised users.

Users were only informed now as Carousell did not have full details yet at the point of discovery. It explained that its initial priority was to ensure that the vulnerability has been isolated and contained, and to size the impact of the incident to notify PDPC, which it did on 17 October.

Subsequently, its team also spent time dissecting the data in order to give complete information to affected users, which is to identify which users were affected and for each user, what kind of data was affected. Carousell's spokesperson told MARKETING-INTERACTIVE that it is working with an external adviser, Sygnia, to validate its internal investigation and to provide an independent assessment to authorities.

"Protecting our users’ personal information has been and will always be of utmost importance to us. We are committed to providing our community with a safe shopping environment, we deeply regret this incident and would like to share our sincerest apologies," the spokesperson said.

The company is also in the midst of contacting affected users in all of its markets, and advises all users to be on the lookout for any phishing emails or SMSes. "Carousell will never ask our users to share their personal information by email or in-app messaging, and we ask that they do not respond to any communications that ask for information such as your passwords," the spokesperson said.

Meanwhile, in a separate report, ST said approximately 2.6 million Carousell accounts are currently being sold on the dark web for SG$1,000. ST added that the 2GB databased was uploaded onto the dark web on 12 October, just two days before Carousell reported the breach. The information included usernames, first and last names, email addresses, mobile phone numbers, as well as country of origin. According to ST, hackers will only be selling five copies of the database.

Digital Marketing Asia is back for its 10th year! 10 years of exclusive insights, experience sharing and great success stories. Join us for three days of hyper-focused presentation topics across six tracks on 15 - 17 November and connect with 1000+ of the world's brightest minds in the marketing world to learn and upscale from 85+ speakers from the hottest regional and global brands. Click here to register now!

share on