A database containing 2.6 million user accounts stolen from Carousell is being sold for USD 1,000 on the Dark Web and hacking forums. Carousell officially reported 1.95 million accounts affected.
An unauthorised third party gained access to data after a bug was introduced during a system migration, the company said on Friday evening. Users were assured that the bug had been fixed and no payment or credit card information was compromised.
Two days before Carousell confirmed the breach, hackers uploaded the 2GB database. In the leak are users’ usernames, first names, e-mail addresses, mobile phone numbers, country of origin, account creation date and a number of followers. Through a vulnerability in Carousell’s systems, the hackers gained partial control over the database.
An investigation has been initiated by the Personal Data Protection Commission. Carousell has been offered assistance by the Cyber Security Agency of Singapore. A Carousell spokesperson said it contacted all affected users and advised them to be on the lookout for phishing emails and SMSes, and not to respond to requests for their passwords.