Skip to content

Carousell hit by data breach, users’ email addresses and mobile numbers exposed

SINGAPORE: E-commerce platform Carousell notified its users on Friday (Oct 21) of a data breach that occurred on Oct 14.

Data that was exposed by the breach includes users’ registered email addresses and mobile numbers.

The platform informed users whose accounts were affected by the breach via email, and did not detail why it took a week to notify users.

CNA has contacted Carousell for more information.

“Based on our investigations, a bug was introduced during a system migration and was used by a third party to gain unauthorized access to personal data of certain users in Singapore,” said the platform in its notice to affected users.

“We have taken actions in connection with this issue and have fixed the bug to prevent any further unauthorized access to personal information. Our team is also working on security enhancement features to better protect our community and prevent similar events from happening in the future.”

Carousell said it had notified law enforcement officials, including the Personal Data Commission of Singapore, and is assisting them with their investigations.

It assured users that have used its in-app payment feature that no credit card and payment-related information was compromised in this incident.

The platform said that no password-related information was compromised in the breach, and that it was unlikely that the incident would result in identity theft, as it does not include users’ NRIC numbers.

“A potential risk of having your mobile number and/or email address shared would be that you would be more susceptible to a phishing attempt,” said Carousell.

Carousell urged users to be on alert and to keep a look out for SMSes or emails sent to you from unknown sources especially those with foreign links.

.