Carousell data breach: Info from 2.6 million accounts allegedly sold on Dark Web, hacking forums

Carousell data breach: Info from 2.6 million accounts allegedly sold on Dark Web, hacking forums
The database is being sold for $1,000. Carousell said on Friday that 1.95 million user accounts were affected.
PHOTO: The Straits Times

SINGAPORE - A database of user accounts believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing 2.6 million accounts’ information, is being sold for $1,000. Carousell said on Friday that 1.95 million user accounts were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.

It assured users that no credit card and payment-related information was compromised.

Hackers uploaded the 2GB database on Oct 12, two days before Carousell confirmed the breach.

The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and number of followers.

The hackers said they will be selling only five copies of the database, which was obtained via a vulnerability that granted them partial access control of Carousell’s systems.

A sample file of 1,000 users’ data was also uploaded.

As of Saturday, the hackers said two copies have been sold.

ST understands that this database is the one being investigated by Carousell.

The Personal Data Protection Commission said it is aware of the incident and has “commenced investigations”. The Cyber Security Agency of Singapore said it has reached out to Carousell to offer assistance. 

Carousell’s spokesman said it contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communication that asks for information such as their passwords. 

ST has contacted Carousell for more information.

This comes after Singtel’s Australian subsidiary Optus was hit in September by a cyber breach that compromised up to 10 million customers’ data in one of the country’s biggest data breaches.

Singtel’s other Australian business, consulting unit Dialog, also fell victim to a data leak, with fewer than 20 clients and 1,000 current and former employees affected, it said in October.

In 2021, the personal data of some 129,000 Singtel customers were extracted by hackers during a breach of a third-party file-sharing system. The bank account details of 28 former Singtel employees, and the credit card details of 45 employees of a corporate customer, were also stolen.

Some of the stolen information were put up on the Dark Web. Over 11GB of data, including payment details and e-mail exchanges, were also leaked online by hackers.

There were 178 cases of data leaks by the Singapore Government in the year that ended on March 31, 2022, up 65 per cent from 108 cases in the preceding year.

This article was first published in The Straits Times. Permission required for reproduction.

This website is best viewed using the latest versions of web browsers.