Carousell data breach exposes email and mobile numbers

On Friday (Oct. 21), e-commerce company Carousell informed its subscribers of a data breach that happened on Oct. 14.

The breach revealed the registered email addresses, mobile phone numbers, and dates of birth of users.

The platform notified affected consumers by email, but did not specify in the message why the notification took a week.

In response to CNA questions, a Carousell spokeswoman stated on Friday evening, “We sent out this message as quickly as we could.”

“At the time of discovery, our first priority was to confirm that the source of the problem had been fixed and to determine the scope of the breach in order to alert the Personal Data (Protection) Commission of Singapore.”

“Thereafter, our team spent hours examining the data in order to provide entire information to our affected users, i.e., to identify for each user which types of data were compromised.”

According to Carousell’s notification to impacted users, a defect introduced during a system migration was exploited by a third party to gain unauthorized access to the personal information of some Singaporean users.

It stated that it has “taken action” in response to the issue and has corrected the flaw to avoid unauthorized access to personal information in the future.

Our team is currently investigating the situation and developing security enhancements to prevent future occurrences of this type of incident. We are also conducting an inquiry with the relevant authorities, added the spokeswoman.

The company regrets the event sincerely and extends its sincerest apologies, the representative continued.

In its notification to users, Carousell reassured individuals who utilized its in-app payment option that no credit card or payment-related information was compromised.

It was said that no password-related information was exposed and that the incident was unlikely to result in identity theft because it did not include users’ NRIC numbers.

The message warned that sharing your mobile number and/or email address could make you more exposed to phishing attempts.

Users have been warned to be wary of phishing emails and text messages.

“Carousell will never ask our users to share personal information via email or in-app chat, and we ask that you do not respond to any communications that request information such as your passwords,” the spokesman stated.

Carousell will introduce automated and manual review methods for any external application programming interfaces (APIs) to guarantee that personal data is not exposed to unauthorised individuals, according to the spokeswoman.