The Singaporean arm of online marketplace Carousell has confirmed that it had recently experienced a data breach. Prior to this, it was reported by Channel News Asia (CNA) that a database containing details of 2.6 million users from the platform has been put on sale on an undisclosed online forum.
In a statement issued to website SoyaCincau, Carousell said that a bug that was triggered during a system migration had been exploited by a third party to gain unauthorised access to personal data of “certain users” in Singapore. Based on its findings, the compromised information included a user’s email address, mobile number, and date of birth. CNA says the data breach occurred on 14 October 2022, though a screenshot of the forum post revealed that the seller had created the thread on 12 October.
SoyaCincau reports that out of five copies of the leaked database offered by the seller, two of which have already been sold as of 18 October via the forum, with each copy priced at US$ 1,000 (~RM 4,730). The data is claimed to be 2.5GB in size and contains 5.5 million records, but is filtered down to 2.6 million to show only those with unique email addresses. In the thread, the seller also provided a sample containing personal data of 1,000 individuals which, worryingly enough, included details of Carousell users from Malaysia.
Even though the damage had already been done, the platform assured that it has taken necessary action in connection with the issue, and has fixed the bug to prevent any further unauthorised access to the personal information of its users. “Our team is in the midst of assessing the situation and working on security enhancement features to prevent this type of event from happening in the future,” Carousell said in the statement. “We are also working with the relevant authorities on an investigation.”
The online marketplace added that it has already contacted those who have been affected by the data breach. All users are also advised by Carousell to remain vigilant and be cautious of potential phishing emails or mobile messages.