SINGAPORE – A database of user accounts allegedly stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, according to investigations by The Sunday Times.
The database, which would contain the information of 2.6 million accounts, is sold for 1,000 dollars. Carousell said on Friday that 1.95 million user accounts were affected.
He informed affected users on Friday evening that their data had been compromised after a bug was introduced during a system migration and used by a third party to gain unauthorized access. The bug has been fixed, its spokesperson said.
It assured users that no credit card and payment information was compromised.
Hackers downloaded the 2GB database on October 12, two days before Carousell confirmed the breach.
The leak contains the victims’ usernames, first and last names, email addresses, mobile phone numbers, country of origin, account creation date, and number of followers.
The hackers said they would only sell five copies of the database, obtained through a vulnerability that granted them partial access control to Carousell’s systems.
A sample data file of 1,000 users has also been uploaded.
As of Saturday, the pirates said two copies had been sold.
ST understands that this database is the one studied by Carousell.
The Personal Data Protection Commission said it was aware of the incident and had “started investigations”. Singapore’s Cyber Security Agency said it contacted Carousell to offer help.
The Carousell spokesperson said it contacted all affected users and advised them to look for any phishing emails or text messages, and not to respond to any communication asking for information such as their passwords.
ST has contacted Carousell for more information.
It comes after Singtel’s Australian subsidiary, Optus, was hit in September by a cyber breach that compromised up to 10 million customer data in one of the country’s biggest data breaches.
Singtel’s other Australian business, consultancy unit Dialog, was also the victim of a data breach, with fewer than 20 customers and 1,000 current and former employees affected, it said in October.
In 2021, the personal data of some 129,000 Singtel customers was extracted by hackers in a breach of a third-party file sharing system. The bank details of 28 former Singtel employees and the credit card details of 45 employees of a corporate client were also stolen.
Some of the stolen information was uploaded to the Dark Web. More than 11GB of data, including payment details and email exchanges, has also been leaked online by hackers.
