Carousell hit by data breach, users' email addresses and mobile numbers exposed

SINGAPORE: E-commerce platform Carousell notified its users on Friday (Oct 21) of a data breach that occurred on Oct 14.

Data that was exposed in the breach include users' registered email addresses, mobile numbers and date of birth.

The platform informed affected users via email, and did not detail in the notice why it took a week to notify users.

"We sent out this alert as soon as we could," a Carousell spokesperson said on Friday evening in response to CNA queries.

"At the point of discovery, our priority was to ensure that the source of the issue has been resolved, and to size the impact of this breach to notify the Personal Data (Protection) Commission of Singapore.

"Subsequently, our team also spent time dissecting the data in order to give complete information to our affected users, which is to identify for each user, what kind of data was affected."

In its notice to affected users, Carousell said that based on its investigations, a bug was introduced during a system migration and was used by a third party to gain unauthorised access to the personal data of some users in Singapore.

It said it has "taken action" in connection with the issue and has fixed the bug to prevent any further unauthorised access to personal information.

"Our team is in the midst of assessing the situation and working on security enhancement features to prevent this type of event from happening in the future. We are also working with the relevant authorities on an investigation," said the spokesperson.

The company deeply regret the incident and would like to share its sincerest apologies, added the spokesperson.

In its notice to users, Carousell assured those who have used its in-app payment feature that no credit card and payment-related information was compromised in this incident.

It said that no password-related information was compromised in the breach, and that it was unlikely that the incident would result in identity theft, as it does not include users' NRIC numbers.

"A potential risk of having your mobile number and/or email address shared would be that you would be more susceptible to a phishing attempt," said the notice.

Users have been advised to look out for phishing emails or SMS.

"Carousell will never ask our users to share their personal information by email or in-app messaging, and we ask that they do not respond to any communications that ask for information such as your passwords," said the spokesperson.

The spokesperson added that Carousell will be adding automated and manual review processes for any external application programming interfaces (APIs) to ensure personal data is not provided to unauthorised users.