Cyber Incident Victim: Carousell
Date:
Oct 2022
Location:
Singapore
Summary
A breach of a Singaporean sales platform exposed nearly two million users' contact details, including phone numbers and email addresses, with additional personal information potentially compromised if provided by customers. The incident stemmed from a vulnerability introduced during a third-party system migration, enabling unauthorized access to approximately 2GB of data later offered for sale on a hacker forum. While payment details and national identity numbers remained secure, the company addressed the flaw and alerted affected users to heightened phishing and vishing risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 21, 2022, Carousell disclosed a cybersecurity breach impacting 1.95 million users of its Singapore-based sales platform, representing approximately 40% of the country's population. The company attributed the incident to a vulnerability introduced during a system migration conducted by an unspecified third party, though it did not specify the exact date of the breach. According to Carousell's statement, unauthorized access occurred during the week prior to October 14, 2022, resulting in the exposure of customer email addresses and mobile phone numbers. However, this timeline conflicted with evidence from BreachForums, where a hacker claimed responsibility for the intrusion on October 12 and suggested initial system infiltration may have occurred as early as May 2022. The threat actor advertised approximately 2GB of stolen data for sale at $1,000 per five copies, including a sample file containing user information posted to the forum. While Carousell confirmed no financial data or Singaporean national identity card numbers were compromised, the company acknowledged that additional personal information such as dates of birth could have been exposed if voluntarily provided by users during account creation.
Carousell implemented technical remediation by fixing the migration-related vulnerability and notified affected customers about potential phishing and vishing risks stemming from the exposed contact details. The company emphasized that credit card information remained secure for users of its in-app payment system. Cybersecurity analysts observed that the stolen data aligned with typical dark web commodities used for social engineering attacks, particularly through SMS phishing (smishing) and voice phishing (vishing) tactics. Despite Carousell's assertion that identity theft was unlikely due to the absence of national ID numbers in the breach, the incident marked the platform's second security failure following a 2020 API vulnerability that exposed user chat records. The delayed public disclosure – occurring nine days after the BreachForums posting and seven days after Carousell's internal detection – drew scrutiny regarding incident response transparency. Forensic analysis remained limited as Carousell did not publicly release technical details about the attack vector or the identity of the third party responsible for the flawed system migration.