Data of alleged 2.6m Carousell accounts being sold on Dark Web, hacking forums

The database is being sold for $1,000. Carousell said on Friday that 1.95 million user accounts were affected.

SINGAPORE - A database of user accounts believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing the information of 2.6 million accounts, is being sold for $1,000. Carousell said on Friday that 1.95 million user accounts were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.

It assured users that no credit card and payment-related information was compromised.

Hackers uploaded the 2GB database on Oct 12, two days before Carousell confirmed the breach.

The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and number of followers.

The hackers said they will be selling only five copies of the database, which was obtained via a vulnerability that granted them partial access control of Carousell’s systems.

A sample file of 1,000 users’ data was also uploaded.

As at Saturday, the hackers said two copies have been sold.

ST understands that this database is the one being investigated by Carousell.

The Personal Data Protection Commission said it is aware of the incident and has commenced investigations. The Cyber Security Agency of Singapore said it has offered assistance to Carousell. 

The Carousell spokesman said it contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communication that asks for information such as their passwords. 

ST has contacted Carousell for more information.

This comes after Singtel’s Australian subsidiary Optus was hit in September by a cyber breach that compromised up to 10 million customers’ data in one of the country’s biggest data breaches.

Singtel’s other Australian business, consulting unit Dialog, also fell victim to a data leak, with fewer than 20 clients and 1,000 current and former employees affected, it said in October.

In 2021, the personal data of some 129,000 Singtel customers was extracted by hackers during a breach of a third-party file-sharing system. The bank account details of 28 former Singtel employees and the credit card details of 45 employees of a corporate customer were also stolen.

Some of the stolen information was put up on the Dark Web. Over 11GB of data, including payment details and e-mail exchanges, was also leaked online by hackers.

Join ST's WhatsApp Channel and get the latest news and must-reads.