Probe under way after breach exposes data of 1.95m Carousell users

Carousell had contacted all affected users and advised them to look out for any phishing emails or SMSes. ST PHOTO: CHONG JUN LIANG

SINGAPORE - An investigation is under way over a data breach on Oct 14 at online marketplace Carousell that exposed personal information of 1.95 million users, or about 39 per cent of its user accounts here.

The Personal Data Protection Commission (PDPC) issued a statement on Friday saying it was aware of the incident and had “commenced investigations”.

In response to queries, a Carousell spokesman said the breach led to users’ e-mail addresses, mobile numbers and dates of birth being exposed.

Carousell had informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and was used by a third party to gain unauthorised access to the personal data.

“We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information,” said the spokesman.

When asked why affected users were informed only a week after the breach, the spokesman said the platform had prioritised finding the source of the issue. 

“At the point of discovery, we did not have full details of the leak yet. Our initial priority was to ensure that the vulnerability has been isolated and contained and to size the impact of this leak to notify the Personal Data Protection Commission of Singapore,” said the Carousell spokesman, who added that the authorities were informed of the breach on Oct 17.

“Subsequently, our team also spent time dissecting the data in order to give complete information to our affected users, which is to identify which users were affected and for each user, what kind of data was affected.

“We sent out this alert as soon as we could.”

The spokesman added that Carousell had contacted all affected users and advised them to look out for any phishing e-mails or SMSes, and not to respond to any communications that ask for information such as their passwords. 

It also assured users that no credit card and payment-related information was compromised.

The Cyber Security Agency of Singapore also said it was aware of the incident and had reached out to Carousell to offer assistance. 

Said its spokesman: “We advise users to stay vigilant and look out for signs of phishing, such as any unexpected requests for information. 

“They should not click on any links or download any attachments before verifying the authenticity of such requests with official sources.”

Join ST's Telegram channel and get the latest breaking news delivered to you.