Singapore sales portal hacked, leaving two million customers exposed to cyber fraud
Carousell, a buy-and-sell digital platform used by around four in ten Singaporeans, has been hacked, leaving almost two million customer details exposed. Furthermore, it’s unclear just how long the data was accessible.

Image by Shutterstock
Carousell, a buy-and-sell digital platform used by around four in ten Singaporeans, has been hacked, leaving almost two million customer details exposed. Furthermore, it’s unclear just how long the data was accessible.
The breach was disclosed by the company to a local media news site TODAY on October 21. According to the news outlet, Carousell attributed the breach to the previous week, leaving 1.95 million customers’ mobile phone numbers and email addresses exposed.
However, a post on hacker platform BreachForums dated October 12, two days before Carousell says the breach took place, appears to claim that the company was infiltrated as far back as May.
The hacker post also says 2GB of information was accessed, with a taster file of user data uploaded to the forum for potential buyers, who were quoted the data haul at a rate of “$1,000/5 copies.”
Other personally identifying information, such as date of birth, would also have been affected, assuming a customer supplied this to Carousell.
Cybercriminals often sell such details on dark web forums, where they can be purchased by their cronies to facilitate further online crimes, including phishing or social engineering scams deployed via email.
Phone numbers can also be used to bolster such con tricks, wth cyber crooks placing calls, a technique known as “vishing,” in further efforts to dupe victims into parting with their money.
“We advise all of our users to be on the lookout for any phishing emails or SMSes,” said Carousell, which reached out to customers to inform them of the violation of its cybersecurity but insisted that no credit card details were compromised.
“For users who have used our in-app payment feature, either as a buyer or seller, please be assured that no credit card and payment-related information was compromised in this incident,” it added.
Carousell says it has fixed the bug, which it believes was “introduced” to its systems during “a system migration” by an unspecified “third party.”
The company added that the victims of the breach were unlikely to have their identities stolen as a result, as the national identity card numbers that are used in Singapore were not exposed.