[ UPDATE 25/10/2022 14:00 ] Carousell has issued us with the following statement:
Based on our investigations, a bug was introduced during a system migration and was used by a third party to gain unauthorised access to personal data of certain users in Singapore. We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information.
Based on what we have learned, the information that has been exposed includes:
Registered email address
Registered mobile number (if provided)
Date of birth (if provided)Our team is in the midst of assessing the situation and working on security enhancement features to prevent this type of event from happening in the future. We are also working with the relevant authorities on an investigation.
Protecting our users’ personal information has been and will always be of utmost importance to us. We are committed to providing our community with a safe shopping environment, we deeply regret this incident and would like to share our sincerest apologies.
We have contacted all affected users, and we advise all of our users to be on the lookout for any phishing emails or SMSes. Carousell will never ask our users to share their personal information by email or in-app messaging, and we ask that they do not respond to any communications that ask for information such as your passwords.
-Carousell Spokesperson
===
eCommerce platform Carousell has been hit by a data breach that allegedly occurred on 14th October. A database containing contact details of 2.6 million users was put on sale on an online forum for USD 1,000 (about RM4,738). According to Channel News Asia, Carousell alerted its affected customers by email on Friday (21st October).
From the looks of it, the seller of the database is only offering five copies and the individual claims to have sold two copies as of 18th October 2022. The database claims to be 2GB in size containing 5.5 million records but is filtered down to 2.6 million records with unique emails. The seller has also provided sample data containing 1,000 records and it appears to contain several Malaysian and Indonesian users based on the country field. The records contain the account creation date, username, first and last name, email address, telephone, country and also the number of followers and following.
AsiaOne reported that the data was compromised after a bug was introduced during a system migration and used a third party to gain unauthorised access. Carousell said the bug has been fixed and assured that no credit card or payment-related information was compromised.
Since the leaked data contain contact details, it could be potentially used for spam and phishing attempts. Carousell said it has contacted all affected users and advised them to look out for any phishing emails or SMSes, and not to respond to any communications that ask for information such as their passwords.
We have reached out to Carousell to find out more about the impact of the data breach on Malaysian users.
Related reading
- Telegram attacks: How to know if your account is compromised and how to improve security
- Budget 2023: Malaysia allocates RM73 million to tackle cybersecurity threats, improve cyberforensic system capabilities
- Website offering personal data allegedly obtained from JPN and MySejahtera surfaces online
- CyberSecurity Malaysia CEO: No such thing as 100% secure from cyber threats, but crucial to know how to act and recover once attacked
