Info theft in Singapore - Data of alleged 2.6 million online marketplace Carousell accounts being sold on Dark Web, hacking forums

The database is being sold for S$1,000. Carousell said on Friday that 1.95 million user accounts were affected. - The Straits Times/ANN

SINGAPORE, Oct 22 (The Straits Times/ANN): A database of user accounts believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing the information of 2.6 million accounts, is being sold for S$1,000. Carousell said on Friday that 1.95 million user accounts were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.

It assured users that no credit card and payment-related information was compromised.

Hackers uploaded the 2GB database on Oct 12, two days before Carousell confirmed the breach.

The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and number of followers.

The hackers said they will be selling only five copies of the database, which was obtained via a vulnerability that granted them partial access control of Carousell’s systems.

A sample file of 1,000 users’ data was also uploaded.

As at Saturday, the hackers said two copies have been sold.

ST understands that this database is the one being investigated by Carousell.

The Personal Data Protection Commission said it is aware of the incident and has “commenced investigations”. The Cyber Security Agency of Singapore said it has reached out to Carousell to offer assistance.

The Carousell spokesman said it contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communication that asks for information such as their passwords.

ST has contacted Carousell for more information.

This comes after Singtel’s Australian subsidiary Optus was hit in September by a cyber breach that compromised up to 10 million customers’ data in one of the country’s biggest data breaches.

Singtel’s other Australian business, consulting unit Dialog, also fell victim to a data leak, with fewer than 20 clients and 1,000 current and former employees affected, it said in October.

In 2021, the personal data of some 129,000 Singtel customers was extracted by hackers during a breach of a third-party file-sharing system. The bank account details of 28 former Singtel employees and the credit card details of 45 employees of a corporate customer were also stolen.

Some of the stolen information was put up on the Dark Web. Over 11GB of data, including payment details and e-mail exchanges, was also leaked online by hackers.

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Aseanplus News

Philippines inches up in corruption index but low score persists
Indonesia’s largest Islamic group draws govt officials eyeing political positions
Fires claim four lives in Sihanoukville
6.0-magnitude quake rocks southern Philippines
Lawyer confirms possessing a vape in Thailand is illegal, can lead to jail
MACC probe against Bersatu an abuse of govt agencies, claims Hamzah
Doctor accused of sex crimes against 14-year-old and other women; allegedly cheated polyclinics
‘Five shots a day’? Bali celebrates first Arak Day
Myanmar streets empty in protest on coup anniversary
HK actor Tony Leung makes Douyin debut, welcomed by Andy Lau

Others Also Read