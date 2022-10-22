Data of alleged 2.6m Carousell users being sold on Dark Web, hacking forums

SINGAPORE - A database of users believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing 2.6 million users’ information, is being sold for $1,000. Carousell said on Friday that 1.95 million users were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.

It assured users that no credit card and payment-related information was compromised.

Hackers uploaded the 2GB database on Oct 12, two days before Carousell confirmed the breach.

The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and number of followers.

The hackers said they will be selling only five copies of the database, which was obtained via a vulnerability that granted them partial access control of Carousell’s systems.

A sample file of 1,000 users’ data was also uploaded.

As of Saturday, the hackers said two copies have been sold.

ST understands that this database is the one being investigated by Carousell.

The Personal Data Protection Commission said it is aware of the incident and has “commenced investigations”. The Cyber Security Agency of Singapore said it has reached out to Carousell to offer assistance. 

Carousell’s spokesman said it contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communication that asks for information such as their passwords. 

ST has contacted Carousell for more information.

