Carousell hit by data security breach, users' email addresses and mobile numbers exposed

[InitialD.D]

We confirmed on 14 October 2022 that there has been a personal data security breach.

You are receiving this email because we have identified that your account was affected, and are updating you directly as protecting our users’ personal information has been and will always be of utmost importance to us.

Based on our investigations, a bug was introduced during a system migration and was used by a third party to gain unauthorised access to personal data of certain users in Singapore. We have taken actions in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information. Our team is also working on security enhancement features to better protect our community and prevent similar events from happening in the future.

We have also notified law enforcement officials including the Personal Data Commission of Singapore and are assisting them with their investigations.

We have put together the following FAQ to address some of the concerns you may have.

1. What user data was affected?
Based on what we have learned, the following information of your Carousell account has been exposed:

• Registered email address
• Registered mobile number

For users who have used our in-app payment feature, either as a buyer or seller, please be assured that no credit card and payment-related information was compromised in this incident.


2. Would someone be able to log into my Carousell account with the information?
No. Your Carousell account password is required to log into your Carousell account and no password-related information was compromised in this incident.

An additional guardrail we have in place is that 2FA through your registered email address is needed when we detect that there is a login attempt through a new device. As long as this 2FA code is not shared, your Carousell account and its content will remain accessible only to you.


3. If my data was compromised through this incident, what are the risks to me?
Based on the type of data that was affected, it is unlikely that this incident will result in an identity theft, as it does not include information like your NRIC number.

A potential risk of having your mobile number and/or email address shared would be that you would be more susceptible to a phishing attempt. We urge you to be on alert and to keep a look out for SMSes or emails sent to you from unknown sources especially those with foreign links.


4. How do I delete my account and all the data you have on me?
To submit a data removal request, please refer to our article 'How do I delete my Carousell account?'

We value the trust you have placed in us, and the security of our users remains a top priority. If you have any further questions, please do not hesitate to reach out to us at dpo@thecarousell.com and we will do all we can to support you.

Just received this email.

 

[berger]

oh no all my lowballing sexposed liao....

 

[DulanMax]

Heng I never get email from them

 

[tankgunner]

I better check my email now

 

[TimsTom]

4. How do I delete my account and all the data you have on me?
To submit a data removal request, please refer to our article 'How do I delete my Carousell account?'

We value the trust you have placed in us, and the security of our users remains a top priority. If you have any further questions, please do not hesitate to reach out to us at dpo@thecarousell.com and we will do all we can to support you.

Haha, a lame point in the email. Already sexposed, then still act teach users how to delete their data with them.

 

[Unicornetto]

Never receive email yet

 

[Shion]

it took them 7 days to inform...?

 

[MiG123]

These days sign up for any service or provide personal data to any platform in SG can expect it to be leaked at some point

our IT infra and maintenance outsourced to folks from all over the world (either based here or otherwise) that any one of them cld just take a dump of the data and sell it without a trace or accountability

service providers couldn’t care less to enact costly safeguards and preventive measures cuz our data privacy laws are a joke and offer little more than slap on the wrist for offenders

 

[arcturuz]

knn in other countries they'll be sued liao

 

[Krystalis]

breach 就 breach,没办法的

 

[Desmond_]

confirm breach 就 breach,没办法的

 

[fortunehunter]

Corousell must garage guni man why peopl want their records

 

[batdow]

fine 10 or 20 k. case closed.

 

[EDMW-Hates-Me]

Oh no oh no... My family and friends are going to know I sell underwear with zhup.

 

[trowa07]

These days sign up for any service or provide personal data to any platform in SG can expect it to be leaked at some point

our IT infra and maintenance outsourced to folks from all over the world (either based here or otherwise) that any one of them cld just take a dump of the data and sell it without a trace or accountability

service providers couldn’t care less to enact costly safeguards and preventive measures cuz our data privacy laws are a joke and offer little more than slap on the wrist for offenders

Nuts Cat Sika is the main vendors for many coy in sg, there are many other operating out of shop houses in little *****. Sika network very powerful one , even google CEO also.

 

[asiafrenz]

KNS !!! I also received, no big fine these companies just continue to have this nonsensical data breach like every day eat chap chye png

 

[wwenze]

https://www.myskillsfuture.gov.sg/c...082021_linkto_article-cybersecurityarticle|sl
Top reason: Can jlb and get paid and nobody will know until kena hack

 

[Zinna]

Where is Jo teo?
Better comment and fine them gao gao. These kind of nonsense cannot just let go without anything

 

[desmond_yee1]

in before @davidktw

 

[aabbccddeeffgg]

Maybe they lowball their IT vendor, bro $10 per year can? We student

Hope they don’t lowball their hackers demand, later leak. Bro, I buy back our data for $5 can? Meet Cantonment Police Station?