News

Authorities Respond & Start Investigations After Data Breach of 1.95 Million Carousell Users in S’pore

2022-10-22 , 12:00 pm

On 14 October this year, a data breach involving the personal information of Carousell users occurred.

Around 39%, or 1.95 million, of the platform’s users in Singapore were affected.

Currently, investigations regarding this data breach are undergoing, with the Personal Data Protection Commission (PDPC) releasing a statement on Friday (21 October) announcing that it has “commenced investigations” regarding this incident.

Here’s what you need to know, and signs to look out for to see if you were affected.

Carousell’s Response

A Carousell spokesperson shared that all of the affected users were informed by Carousell yesterday (21 October), so if you were one of those whose information was leaked, Carousell would have contacted you by now.

According to the spokesperson, the data, which included users’ email addresses, mobile numbers and dates of birth, were “compromised”.

Thankfully, no credit card or payment-related information was leaked or compromised, according to Carousell.

This came after a system migration resulted in a bug being introduced, and the bug was utilised by a third party in order for them to obtain unauthorised access to users’ personal information.

“We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information,” the spokesperson added.

Apart from contacting the users, Carousell also released an advisory prompting the users to take note of any phishing emails or SMSes that they may receive, and to not reply to any of these forms of communications if they are asked to provide their personal information.

Took One Week to Inform Users as Finding Source of Breach Was Priority

As for why it took so long for Carousell to break the news to the affected users, the spokesperson mentioned that Carousell had placed searching for the source of the breach as the highest priority.

“At the point of discovery, we did not have full details of the leak yet. Our initial priority was to ensure that the vulnerability has been isolated and contained and to size the impact of this leak to notify the Personal Data Protection Commission of Singapore,” the spokesperson clarified.

Based on the spokesperson’s sharing, Carousell notified the authorities about the data breach on 17 October, three days after it happened.

“Subsequently, our team also spent time dissecting the data in order to give complete information to our affected users, which is to identify which users were affected and for each user, what kind of data was affected.

“We sent out this alert as soon as we could,” the spokesperson concluded.

Join our Telegram channel for more entertaining and informative articles at https://t.me/goodyfeedsg or download the Goody Feed app here: https://goodyfeed.com/app/

Cyber Security Agency’s Response

Apart from Carousell, the Cyber Security Agency of Singapore (CSA) confirmed that it has been informed about the incident, and that it has since contacted Carousell to provide the platform with assistance.

“We advise users to stay vigilant and look out for signs of phishing, such as any unexpected requests for information.

“They should not click on any links or download any attachments before verifying the authenticity of such requests with official sources,” a CSA spokesperson advised.

Authorities Respond & Start Investigations After Data Breach of 1.95 Million Carousell Users in S’pore

Carousell’s Response

Took One Week to Inform Users as Finding Source of Breach Was Priority

Cyber Security Agency’s Response

Read Also:

Watch this for a complete summary of what REALLY happened to Qoo10, and why it's like a K-drama:

Read Also: