On May 14, 2021, Carousell Pte. (“Carousell”) has informed the Personal Data Protection Commission (“the Commission”) of an incident of unauthorized access to its users’ accounts due to a “credential stuffing” attack. Credential stuffing refers to a type of cyberattack where a cybercriminal gains access to one organization’s user accounts using usernames and passwords stolen from another organization.
Carousell was alerted to this issue following reports from 2 Carousell users. First, on April 26, 2021, a user reported that their account was hacked and used to make unauthorized purchases. Later on June 1, 2021, Carousell was alerted to another incident alert involving the same modus operandi, which had successfully made unauthorized purchases.
The hacker(s) obtained the login and password details from an exposure of those details on another service provider’s platform (not Carousell). Since these users had used the same username and password on their Carousell accounts, the cybercriminal was able to infiltrate their accounts and make the necessary changes to their account settings to make unauthorized purchases.
Carousell immediately investigated the matter and found that there was no compromise of personal data from Carousell’s own databases.
Additionally, at the time of the incident, Carousell had security measures in place, including:
• Notifying users if their passwords, emails or phone numbers linked to their account change or when they have logged in via a new device;
• Train its staff to identify and investigate probable account takeovers;
• Ensure that card transactions that meet a certain fraud score are blocked and/or reviewed;
• Ensure that a one-time password (OTP) is required to perform transactions for payments made by card;
• Regularly review policies and regularly test and revise risk rules based on trends in fraud, seasonality, regulation and all related indicators;
• Provide company-wide training and newsletters to increase staff awareness of security and data protection requirements; and
• Conducting annual penetration security assessments.
The Commission found that Carousell adopted reasonable standards to protect personal data in its customer accounts and also took prompt action to mitigate the unfortunate effects of the data breach.
The Commission also acknowledged that Carousell has reviewed the incident and taken adequate corrective action to strengthen its security measures, including blocking suspicious IP addresses, adding rules into existing third-party fraud detection tools to to prevent new cases of credential stuffing, implementing a mandatory two-factor authentication verification system via email when a user logs in from a different device , and advising users on how to ensure enhanced cybersecurity on its platform and awareness against phishing attempts.
In these circumstances, the Commission concluded that Carousell had not breached data protection obligations under data protection law and no instructions were issued against it.