PETALING JAYA: Following the discovery that the data of 2.6 million Carousell users had been uploaded to an online forum for sale, the ecommerce platform has confirmed that Malaysian users were affected by the data breach.
“We are still investigating the total number of impacted accounts, rest assured we will notify the affected users as soon as we can,” a Carousell spokesperson said in a statement to LifestyleTech.
The database was first uploaded on Oct 12 and was claimed to include the usernames, full names, email addresses, phone numbers, country code, and number of users followed and followers, along with the registration date of the accounts.
The data was sold for US$1,000 (RM4,720), with the uploader claiming that only five copies of it would be made available, all of which have been sold.
Carousell confirmed the breach on Oct 14, and began notifying affected users last Friday (Oct 21).
“At the point of discovery, we did not have full details yet.
“Our initial priority was to ensure that the vulnerability had been isolated and contained, and to size (up) the impact of this leak to notify the Personal Data Protection Commission of Singapore.
“We did so on Oct 17, 2022,” the spokesperson said.
The company is “dissecting the data” in order to give complete information to affected users, including identifying which users were affected and what type of data was stolen.
According to the initial statement issued by Carousell, the bug that caused the incident has since been resolved.
“Based on our investigations, a bug was introduced during a system migration and was used by a third-party to gain unauthorised access to personal data of certain users in Singapore.
“We have taken action in connection with this issue and have fixed the bug to prevent any further unauthorised access to personal information,” the company said in a statement.
In the statement, Carousell users were also told to watch out for possible phishing emails or text messages. They were urged not to answer any messages that asked for personal information or passwords.