Info theft in Singapore - Data of alleged 2.6 million online marketplace Carousell accounts being sold on Dark Web, hacking forums

The database is being sold for S$1,000. Carousell said on Friday that 1.95 million user accounts were affected. - The Straits Times/ANN

SINGAPORE, Oct 22 (The Straits Times/ANN): A database of user accounts believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing the information of 2.6 million accounts, is being sold for S$1,000. Carousell said on Friday that 1.95 million user accounts were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.

It assured users that no credit card and payment-related information was compromised.

Hackers uploaded the 2GB database on Oct 12, two days before Carousell confirmed the breach.

The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and number of followers.

The hackers said they will be selling only five copies of the database, which was obtained via a vulnerability that granted them partial access control of Carousell’s systems.

A sample file of 1,000 users’ data was also uploaded.

As at Saturday, the hackers said two copies have been sold.

ST understands that this database is the one being investigated by Carousell.

The Personal Data Protection Commission said it is aware of the incident and has “commenced investigations”. The Cyber Security Agency of Singapore said it has reached out to Carousell to offer assistance.

The Carousell spokesman said it contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communication that asks for information such as their passwords.

ST has contacted Carousell for more information.

This comes after Singtel’s Australian subsidiary Optus was hit in September by a cyber breach that compromised up to 10 million customers’ data in one of the country’s biggest data breaches.

Singtel’s other Australian business, consulting unit Dialog, also fell victim to a data leak, with fewer than 20 clients and 1,000 current and former employees affected, it said in October.

In 2021, the personal data of some 129,000 Singtel customers was extracted by hackers during a breach of a third-party file-sharing system. The bank account details of 28 former Singtel employees and the credit card details of 45 employees of a corporate customer were also stolen.

Some of the stolen information was put up on the Dark Web. Over 11GB of data, including payment details and e-mail exchanges, was also leaked online by hackers.

Follow us on our official WhatsApp channel for breaking news alerts and key updates!

Next In Aseanplus News

Asean news headlines as at 9pm on Monday (Feb 26)
Vietnam calls for a more open and level playing field in agricultural trade
Thai ministry endorses bill granting amnesty to owners for surrendering illegal firearms
Sri Lankan president highlights plans to link Hambantota with Myanmar
Philippines takes cancer screening into the workplace
About 200 people evacuated after fire at Sengkang executive condo
Cambodian PM Manet to pay official visit to Malaysia on Feb 27
HK actress Violet Lee dies at 70 after refusing medical treatment following fall
Deadly fire in Nanjing sparks scrutiny of e-bike hazards
US Chamber chief visits China in sign of warming business ties

Others Also Read