Jalan App’s Alleged Data Leak Releases Over 500 Emails

Weeks after the largest cyber-attack on Singapore, it appears that not all businesses are taking data security seriously.

That’s if you believe Redditor u/chickenbruschetta, who alleges that a local start-up accidentally leaked hundreds of its users’ email addresses.

The post in r/Singapore has received over 150 upvotes in 15 hours.

Trouble began on Friday (10 August), when Jalan invited users to try its beta membership package.

The Redditor noticed that he wasn’t the only recipient of the email, which was sent at 4pm on Friday. Insteading of BCC-ing all its users, the start-up plonked all their emails in the addressee field.

That means recipients basically saw this:


The Jalan app gives users with route choices based on different combinations of transport modes. It also allows them to book and pay for shared bicycles and e-scooters, which means it contains sensitive payment information.

The app’s developer mobilityX is seed-funded by SMRT and supported by the Economic Development Board.

Email only what

You might brush off the data leak as a minor one, since just email addresses were used. But with just an email account, hackers can still wreak havoc.

With just an ID, it’s not that difficult to hack into your email. That’s because some Singaporeans remain ignorant about password security.

In 2015, The Straits Times reported that common passwords among netizens here include:

  • 123456
  • password
  • welcome
  • baseball
  • dragon

And a quick scan of the emails show that some were Government-linked, including addresses belonging to NTU’s web domain.

Redditors were largely outraged with the leak, calling on the thread starter to report the matter to the Personal Data Protection Commission.

Spotlight on data security

The data leak comes as national attention on cybersecurity is at an all-time high. In July, SingHealth announced that it had been the victim of a cyber-attack, believed to be the largest in Singapore’s history.

It appears that hackers were after the medical records of Prime Minister Lee Hsien Loong. But they also amassed the data of more than 1.5 million Singaporeans in the process.

Featured image from Reddit.