Carousell’s Big Data Leak Gets a Dark Web Debut
Carousell, the Singapore‑based marketplace that lets you swap bikes, books, and that odd “knotted socks” you found on a morning stroll, just spilled nearly 2 million user details onto the shadowy corners of the internet. Instead of a quiet data dump, the breach is being sold for a cool $1,000.
Where It Came From
It all started with a tiny bug that slipped in during a system migration. The glitch let an outsider slip a tent into the party and grab 1.95 million accounts. The company fixed the loophole, stopped the bleed, and assured no credit‑card or payment info got involved.
What Hackers Got
The stolen nuggets include:
- Username, first and last name
- Email address
- Mobile number
- Country of origin
- Date account was created
- Number of followers a user has
The data lives in a 2 GB file—big enough to test your patience but just small enough that the hackers can hand‑digitally market it.
Money‑making Play
Two days before Carousell announced the breach, the hackers uploaded the full database on Oct 12. They’re offering just five copies of the trove for purchase on a variety of hacking forums. A sample sheet of 1,000 users is also up, proof that the hackers aren’t shy about flaunting their haul.
By Saturday, two of these limited editions were already sold. The rest? Awaiting the next willing buyer.
Official Response
Carousell’s spokesman has reached out to every affected user, warning of a possible phishing wave. “Keep your guard up for emails or texts that feel like a sneaky sales pitch and ask for passwords or other sensitive info,” he said. The Personal Data Protection Commission is already digging into the matter, while the Cyber Security Agency of Singapore has offered technical support.
Context & Context: A Famine of Data Breaches
It’s not a one‑off. Earlier this year, Singtel’s Australian arm Optus saw up to 10 million customers hit by a breach. From smaller scandals in Singapore, where 178 incidents logged a 65% spike from the previous year, to a 2021 hack that lifted 129,000 customer records from a third‑party file share, the city‑state’s digital landscape is under continuous siege.
Bottom Line
For you: double‑check any unsolicited messages. If a stranger asks for your password, say No thanks! For the industry: it’s a reminder that even a single bug can become a $1,000 box of secrets sold in the internet’s underbelly. Let’s keep the shopping carts safe.
