The alarm bells first rang on Monday, when the authorities were told that some SingPass users had had their passwords reset, even though they had not requested this.
Investigations then showed up another anomaly. Although a large number of SingPass passwords had been reset, only a "small" number of mobile numbers was used to obtain the one-time passwords to carry this out, said the Infocomm Development Authority of Singapore (IDA).
Yesterday, IDA revealed the extent of the incident. Some 1,560 SingPass accounts could have been accessed without their users' permission, in possibly the first known case of its kind on such a scale.
Out of these, passwords had been reset in 419 cases.
"From our checks, there is no evidence that the SingPass system has been compromised," said IDA managing director Jacqueline Poh last evening, in a briefing at the authority's Mapletree Business City office.
No losses have been reported either, as a result of the unauthorised access.
The compromise could have been at the users' end. The authority said that in many instances, it is not uncommon for passwords to be weak. IDA added that cyberattacks that try to guess user passwords by "brute force" are common and possibly on the rise.
Malware could also have been used.
Asked if it could have been an inside job, IDA said that investigations are ongoing.
SingPass, short for Singapore Personal Access, was launched in 2003 as a common online password for users to access government e-services.
Currently, 64 government agencies use SingPass for citizens and permanent residents to access more than 340 e-services.
These include accessing Central Provident Fund accounts and income tax records.
The total number of transactions that use SingPass hit 57 million last year, a more than tenfold increase since its launch.
IDA said the SingPass situation first came to light after it was notified on Monday by SingPass operator CrimsonLogic.
Eleven SingPass users had told the company last weekend that they had received a SingPass letter informing them that their password had been reset, even though they had not requested it.
Users will typically get such letters at a registered address within four days if they reset their passwords.
Investigations showed that a small number of mobile numbers had been used to get a one-time password to reset the passwords.
This could have happened because crooks with users' SingPass identities - their identification-card numbers - and passwords changed the phone numbers tied to users' SingPass accounts.
IDA lodged a police report on Tuesday. It has reset the passwords of all the 1,560 affected SingPass users and is informing them of this.
" The Government strongly urges all SingPass users to take the necessary precautions to enhance their cyber security. They should ensure that they use strong passwords to access not only SingPass, but all the other e-services they subscribe to. Strong passwords contain a combination of numerical figures, capital letters and are at least eight characters long. Users should also install anti-virus software and update all their software regularly," said Ms Poh.
The IDA added that it will continue to strengthen all government e-services as part of ongoing efforts to improve security.
Get MyPaper for more stories.