Carousell has become a household name for Singaporeans that’s synonymous with buying and selling items outside the traditional retail sphere.
However, the portal is now the latest local company to be hit by a personal data security breach.
The breach ended up exposing users’ email addresses and mobile numbers.
In an email to affected users on Friday (21 Oct), Carousell said they confirmed the data breach on 14 Oct.
They didn’t mention why it took one week to inform users.
However, a spokesperson told Channel NewsAsia (CNA) that they sent out the alert as soon as they could.
Their priority was to ensure the issue was resolved and to assess its impact so they could notify the Personal Data Protection Commission (PDPC).
The company has already informed the PDPC and law enforcement officials and is assisting them with investigations.
In their letter, Carousell said the breach exposed the email addresses and mobile numbers of certain users in Singapore.
An unauthorised third party had accessed the personal information via a bug that was introduced during a system migration.
However, they assured users that no credit card information and details related to payments were compromised.
Carousell also maintained that identity theft was “unlikely”, as users’ NRIC numbers were not among the data exposed.
However, users whose email addresses and mobile numbers were leaked would be at greater risk of falling prey to a phishing scam.
In August, the police said a Carousell phishing scam had conned victims of about S$17,000.
Thus, Carousell warned users to beware of emails or SMSes from unfamiliar sources, especially those with foreign links.
Carousell also said that hackers wouldn’t be able to access Carousell accounts as no password-related info was leaked.
If the website detects a login from a new device, it would also require Two-Factor Authentication (2FA) from a registered email address.
As long as the 2FA isn’t shared, other parties won’t have access.
Though the email seemingly didn’t contain an apology to users, the Carousell spokesperson apologised in their response to CNA, saying that they “deeply regret the incident”.
They’ll be taking steps to ensure users’ personal data is not provided to unauthorised users, including adding automated and manual review processes for any external application programming interfaces (APIs).
Those who have any questions can contact the company at dpo@thecarousell.com.
Have news you must share? Get in touch with us via email at news@mustsharenews.com.
Featured image adapted from Carousell.
The fire was allegedly caused by an oil lamp.
Netizens joked that the child may be able to enjoy a lifetime of free toll…
What if the alleged thief has a counter-talisman?
When his family tried to get him to leave peacefully, the man threatened to kill…
The reliability of the LRT network has also dropped steeply.
The walkway below the block was submerged in murky brown water.