2.6 Million Carousell Account Details Being Sold in the Dark Web for $1,000

If you’ve ever wondered how much your personal details, which includes your username, name, contact number and email address, are worth, there’s now a ballpark figure, since you’re probably a Carousell user.

A total of 2.6 million Carousell account details are being sold in the dark web for USD$1,000, which means each of us is worth USD$0.00038.

Still think that your Instagram Likes are important?

2.6 Million Carousell Account Details Being Sold in the Dark Web for $1,000

On 14 October, a data breach involving the personal information of Carousell users occurred.

According to Carousell, around 39%, or 1.95 million, of the platform’s users in Singapore were affected.

It’s unknown how the figure ballooned to 2.6 million in the dark web.

The hackers had apparently uploaded the database on 12 October—two days before Carousell had found the breach.

According to the hacking forum in the dark web, only five copies of the data that is priced at USD$1,000 would be sold, and as of today, two copies have been sold.

What Happened

A Carousell spokesperson said that all of the affected users were informed by Carousell yesterday (21 October), so if you were one of those whose information was leaked, Carousell would have contacted you by now.

According to the spokesperson, the data, which included users’ email addresses, mobile numbers and dates of birth, were “compromised”.

Thankfully, no credit card or payment-related information was leaked or compromised, according to Carousell.

This came after a system migration resulted in a bug being introduced, and the bug was utilised by a third party in order for them to obtain unauthorised access to users’ personal information.

“We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information,” the spokesperson added.

Apart from contacting the users, Carousell also released an advisory prompting the users to take note of any phishing emails or SMSes that they may receive, and to not reply to any of these forms of communications if they are asked to provide their personal information.

Took One Week to Inform Users as Finding Source of Breach Was Priority

As for why it took so long for Carousell to break the news to the affected users, the spokesperson mentioned that Carousell had placed searching for the source of the breach as the highest priority.

“At the point of discovery, we did not have full details of the leak yet. Our initial priority was to ensure that the vulnerability has been isolated and contained and to size the impact of this leak to notify the Personal Data Protection Commission of Singapore,” the spokesperson clarified.

Based on the spokesperson’s sharing, Carousell notified the authorities about the data breach on 17 October, three days after it happened.

“Subsequently, our team also spent time dissecting the data in order to give complete information to our affected users, which is to identify which users were affected and for each user, what kind of data was affected.

“We sent out this alert as soon as we could,” the spokesperson concluded.

Join our Telegram channel for more entertaining and informative articles at https://t.me/goodyfeedsg or download the Goody Feed app here: https://goodyfeed.com/app/

Cyber Security Agency’s Response

Apart from Carousell, the Cyber Security Agency of Singapore (CSA) confirmed that it has been informed about the incident, and that it has since contacted Carousell to provide the platform with assistance.

“We advise users to stay vigilant and look out for signs of phishing, such as any unexpected requests for information.

“They should not click on any links or download any attachments before verifying the authenticity of such requests with official sources,” a CSA spokesperson advised.

This is especially so since it’s now confirmed that the details are now being purchased by at least two entities, and we’re pretty sure they didn’t buy them to collect email addresses.

Read Also: