More than 1,500 SingPass users could have had their accounts accessed without their knowledge, in the first known case of its kind on such a scale.
About a quarter of them even had their confidential passwords reset, with some realising this only when they received letters in the mail informing them of the change.
The passwords of all affected users have since been reset and there have been no reported losses, including monetary ones, so far, the Infocomm Development Authority (IDA) said yesterday.
"From our checks, there is no evidence that the SingPass system has been compromised," said IDA's managing director Jacqueline Poh, revealing the extent of the incident at a press conference.
SingPass, short for Singapore Personal Access, was launched in 2003 as a single common password for users to access a variety of government services online.
Currently, 64 government agencies use SingPass for citizens and residents to access more than 340 "e-services". These include checking on information such as Central Provident Fund account balances and income tax records.
Last year, there were over 57 million SingPass transactions.
While there has been unauthorised access to SingPass accounts before, these were one-off cases.
IDA said it was first notified on Monday of the security scare by SingPass' operator CrimsonLogic, a local e-government solutions provider.
Eleven SingPass users told the company at the weekend they had received a SingPass letter informing them their passwords had been reset, even though they had not requested it.
Such letters automatically arrive within four days of a user resetting his or her password.
IDA immediately investigated the matter and found an anomaly.
A suspiciously large number of SingPass accounts had been linked to a much smaller pool of mobile phone numbers.
This was a sign that crooks may have somehow logged into SingPass accounts, changed the mobile numbers associated with them and reset the accounts.
In all, 1,560 accounts were involved, and 419 users eventually had their account passwords reset. On discovering this, IDA lodged a police report on Tuesday morning.
Asked if it could have been an inside job, IDA said that police investigations are still ongoing. However, it noted that cyber attacks that try to guess user passwords by "brute force" are common and possibly on the rise.
"Users should ensure that they use strong passwords to access not only SingPass, but all the other e-services they subscribe to," said IDA's Ms Poh, adding that users should also install anti-virus software and update software regularly. She said strong passwords contain a combination of numerical figures and capital letters, and are at least eight characters long.
The IDA added that it will continue to strengthen all government e-services as part of ongoing efforts to improve security.
IT security experts said the information from a SingPass account is valuable to cybercrooks.
Said Trend Micro country manager for Singapore David Siah: "A SingPass account is a gold mine. It doesn't really transact like a bank account, but it gives you access to a lot of platforms. CPF data access would be one that is worrying, and other platforms that hold financial information."
Additional reporting by Hoe Pei Shan
This article was first published on June 5, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.