Carousell hit by data security breach exposing email addresses, phone numbers; 1.95 million user accounts affected

SINGAPORE — Some 1.95 million Carousell user accounts — which make up about 39 per cent of the total number of user accounts here in Singapore — were affected by a data security breach on the e-commerce platform, the firm told TODAY late on Friday (Oct 21).

Earlier in the day, it had notified some of its users via email of the data security breach which happened a week ago on Oct 14.

In the email to its users, Carousell said that the data that was exposed include the users' registered email addresses and mobile phone numbers.

“For users who have used our in-app payment feature, either as a buyer or seller, please be assured that no credit card and payment-related information was compromised in this incident,” the firm told the users.

In response to TODAY’s queries, Carousell said that based on its investigations, “a bug was introduced during a system migration”.

“(This) was used by a third party to gain unauthorised access to personal data of certain users in Singapore. We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information.”

The firm told TODAY that its team is in the midst of assessing the situation and working on security enhancement features to prevent this type of event from recurring.

“We are also working with the relevant authorities on an investigation,” said Carousell.

In its statement, Carousell also said users' date of birth, if provided, was also among the data affected by the breach.

In its notice to affected users, the firm said that it had notified law enforcement officials, including the Personal Data Commission of Singapore, and is assisting them with their investigations.

Carousell said that based on the type of data that was affected in the breach, it is unlikely that the incident will result in identity theft as it does not include information such as the National Registration Identity Card number.

It warned, however, that affected users may be more susceptible to phishing attempts due to the exposure of their email addresses or mobile phone numbers.

“We advise all of our users to be on the lookout for any phishing emails or SMSes,” the firm said.

“Protecting our users’ personal information has been and will always be of utmost importance to us. We are committed to providing our community with a safe shopping environment and deeply regret this incident.”