14,000 meconnect accounts accessed by unidentified external party; no payment information compromised: Mediacorp

SINGAPORE: A total of 14,000 meconnect users have been advised to change their password after their accounts were accessed, Mediacorp said on Thursday (Feb 23).

Mediacorp said login credentials were not leaked from the system and further investigations did not reveal any evidence that users’ personal data had been misused or disclosed to the public. 

“Users can be assured that no payment information has been compromised as a result of this incident,” said Mediacorp.

The unauthorised access was detected during monitoring in late January and was carried out by an unidentified external party, said the national media network. The meconnect accounts are used to access Mediacorp services such as mewatch.

It is understood that this was likely a credential stuffing incident, a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service. This is based on the assumption that usernames and passwords are often reused across multiple services.

Last month, it was reported that PayPal suffered a similar attack. An estimated 35,000 accounts were accessed during the incident from Dec 6 to Dec 8, 2022.

ACCOUNT HOLDERS NOTIFIED

The 14,000 meconnect accounts affected formed a small percentage of the millions of meconnect accounts, said Mediacorp. The company has notified all affected account holders and as an added measure, their passwords have been reset.

They have also been strongly advised to change their passwords and check any other accounts where the same login credentials may have been used. 

“We take our obligation to safeguard personal data very seriously and will continue to take the necessary precautions to protect our users’ personal data,” said a Mediacorp spokesperson. “Mediacorp’s operations and services remain unaffected, and are not disrupted by this incident.”

Mediacorp, which owns CNA, said it has filed a police report and notified regulators, including the Singapore Personal Data Protection Commission, and will be cooperating with any further inquiries.