E-commerce platform Carousell was hit by a data breach that reportedly occurred on October 14. A database containing the contact details of 2.6 million users has been put up for sale on an online forum for US$1,000 (about RM4,738). According to Channel News Asia, Carousell alerted its affected customers via email on Friday, October 21.
At first glance, the database vendor is only offering five copies and the individual claims to have sold two copies as of October 18, 2022. The database claims to be 2 GB in size containing 5.5 million records but is filtered to 2.6 million records with unique emails. The vendor also provided sample data with 1000 records and it appears to have multiple Malaysian and Indonesian users based on the country field. Records contain account creation date, username, first and last name, email address, phone, country, and number of subscribers and subscribers.
AsiaOne reported that data was compromised after a bug was introduced during a system migration and used a third party to gain unauthorized access. Carousell said the bug has been fixed and assured that no credit card or payment information was compromised.
Since the leaked data contains contact details, it could potentially be used for spam and phishing attempts. Carousell said it contacted all affected users and advised them to look for any phishing emails or text messages, and not to respond to any communication asking for information such as their passwords.
We reached out to Carousell to learn more about the impact of the data breach on Malaysian users.
[ SOURCE 2 ]