Data from allegedly 2.6 million Carousell accounts is being traded on the Dark Web and hacking forums.

The victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation, and number of followers are all included in the breach.

That’s a step up from “Registered email address and Registered mobile number.”

Yes, sir. They just alerted me about the possibility of phishing. Dammit. Carousell continues to have the audacity to require merchants to validate their accounts with Singpass MyInfo before they can withdraw their Caroupay revenues. As a result, no seller will accept Caroupay.

Caroupay should never be utilised since it shifts the costs of lost mail from buyer to seller. I’m a non-professional seller offering unwanted items at rock-bottom costs; there’s no way I’m going to supply buyers with free insurance and guarantee that they’ll receive goods.

When sellers actually receive the short end of the stick with caroupay, some purchasers will still try to convince me that it’s a win-win situation.

Why did the hackers bother selling the database on the dark Web? They could have probably just sold it on the carousell platform because “users are allowed to purchase and sell freely.”

Isn’t that like their entire database? Thank you for donating our information, Carousell.

I logged in to see what information I have on my account and found the following:

We do not share this information with other users unless you give us explicit permission.

Is it just me that has been getting odd phone calls since this incident? In an 8-minute period, I received calls from +85 numbers.

Me too messed up, I got one this morning. I’ve been getting them for so long that I’m not surprised.

On Friday, I received two calls from +54 and +40, both at nearly the same time. I have blocked unknown callers on iOS and have had no calls from unknown numbers.

I’m getting strange WhatsApp messages requesting confirmation of something via an unknown link. Phishing emails are now being used to phish WhatsApp. Then I received a message from my optician instructing me to gather my belongings and organise them through some website. Already scared about clicking the website.

If your email is linked to your phone number, it can be a privacy nightmare if it falls into the wrong hands.

And, for example, if your reddit username is the same as carousell, this data dump will easily identify you.

Have you ever used an app that was so buggy that you just KNEW it would be hacked eventually? One of these apps is Carousell.

Data worth 2.6 million dollars was sold for $1000. GSS or these individuals believe that this data are essentially worthless. Consider going to a record store for $1000.

The information is useless for cracking and can only be used for social engineering or phishing. So not much worth.

Malaysia’s Singpass similar information was allegedly leaked for $10,000, including 22.5 million citizens.

I used to be a ‘foreign worker in Singapore,’ and I have a Carousell account. What precautions must I take? I’ve seen some phishing communications, but I haven’t responded to them; instead, I’ve blocked them. Is it necessary for me to contact my bank? I’m not in the know.

I don’t believe so; they expressly stated in an email that only our contact information and email address had been published. Nothing, including passwords, has been revealed. Simply do not click on any unsolicited text messages or emails.

I reviewed a sample of the data that was exposed. The data is rather benign in terms of leaks, but it is still valuable for phishing and social engineering.

I wouldn’t be concerned about being hacked, but I would be aware about phishing attempts.

Good luck to those who use their real name and the same email address and phone number as your singpass. Carousell’s security is inadequate. The image depicts Carousell informs users about a leak in May and another in October. That’s 5 months of lax security.

Companies should be penalised for this type of behaviour, terrible. I still believe that the website that exposed the data should compensate those affected by providing new phone numbers.

Why do all dark web hacker forums use the same software/platform as a service interface? They’re all the same templates. All of them are utilising mybb and the same template. If taken down, it is simple to redeploy.

I am one of them affected. What can I do to safeguard myself? With email and phone numbers exposed. Other unrelated accounts can be severely harmed.

If your carousell name isn’t vital for brand recognition (for example, if you’re simply a random guy selling secondhand items), modify your username so that the 5 consumers only see your old username.

It would protect you from the five customers if they hadn’t finished scraping the carousell website for username profile details, but if the initial leaker grabbed the profile data before May 2022, it is too late.

If I were the leaker, I’d scrape the website starting in May 2022 and then give the profile data to the 5 customers as a “value extra” later this year.

How many are there? How come I didn’t receive an email informing me of this hack… This means you were unaffected. Perhaps businesses should begin encrypting all sensitive customer data, not just passwords and emails.


Australian Clinical Labs have been accused of’sitting on’ a hack that resulted in patient data being leaked to the dark web.

They were well aware of the potential harm it may cause them and their investors if it became public. It makes you question how many more corporations will reveal that their customer/client data has been compromised, and what the regulatory responses will be.

I can think of a slew of concessions that have either gone unnoticed or passed unnoticed. Regulation of persons who work with/design systems, as well as security for PII handling, is long needed.

Check out Nick Espinosa’s videos on YouTube:

He has been compiling a weekly list of infractions for quite some time. It’s quite frightening how much is popped from week to week.

That share price must be protected at all costs.

The publicly traded company with over $1 billion in annual revenue said it first learned of the hack in February but assumed no data had been stolen.

“At the time,” it stated in a statement, “the external forensic specialists found no evidence that information had been hacked.”

I’m calling BS here. If this is the case, bring out the reports from these “specialists” to see if they are accurate. What “investigations” were conducted to get this conclusion?

I work in the aged care profession, and we have some quite strict policies in place, including data breaches. And I’ve worked in a number of organisations where an email was sent to the wrong client with other client data, etc. (usually seen as minor) – every single time we treated the incident like it should, with an investigation, identification of areas for continuous improvement, actions, reporting to the appropriate places, and some difficult conversations with staff. And every time I’ve been involved (I manage quality, risk, and compliance), I’ve thought to myself, “Big business isn’t going to this length, unless discovered,” and “Small business may not be a) aware of their obligations, b) certainly not reporting it, and c) have no means to truly keep data safe.” Every time I hand out data or information, I am concerned. Consider all of the loyalty programmes.

TL;DR People and businesses may not always take it seriously, and some may be unaware that they are required to report.

There’s little doubt ACL was aware they needed to report. There’s some doubt about how seriously they took security.

This is heinous. The board and all Cxx level staff should be dismissed and barred from ever holding those posts again.

Every business now requires a personal email address. You’ll know exactly where it came from if it ever arrives in the wild.

I accomplish this by using a catch-all domain that goes into a single box –,, and so on.

I do this using Fastmail (yeah, I’m a scumbag) and they allow you to create masked emails so that instead of giving out your real email address, they give you a random email like and you give it a friendly name like “Bank Spam” – it all gets filtered through that channel.

If that email is compromised by a corporation, I delete it and go on to the next randomly created email.

You could do this with email sub-addressing, but not all companies will allow you join up in that way.

For example, for Optus, use, and for Medibank, use

Some signup forms mistakenly reject + because they believe it is invalid, but that’s an altogether new can of worms.

Surprise, surprise, privatised healthcare does not care about patient safety.

“The company responded to the information request and verified that, to the best of its knowledge, the company did not believe any data had been hacked,”

They had no idea they were being watched. Clearly, they were not looking, and they were not searching the dark web for their patient data. They didn’t want to invest money protecting their data because they had no idea how valuable it was to crooks.

ACL is the pathology industry’s filth. I’m not surprised. Chinese ownership. To be honest, I wasn’t surprised at all. Clinical Abbreviations

So you’re just keeping credit card information in plain text in a spreadsheet?

There aren’t many specifics provided. Has Australian Clinical Labs contacted anyone about the data leak?


Two Alleged Darknet Vendors Arrested in Australia – Cocaine, MDMA, and $60,000 Cash Found – Dark Net Daily

Well done, cops. Now, consumers will simply buy their drugs from less trustworthy, possibly more dangerous, local sellers.

Do the drug squad cops truly believe they are making a difference? These folks are squandering their opportunities.

It’s past time to legalise and tax drugs instead of squandering resources on incarceration. This is the ring that the cops will soon lose. Funny.

Damn I’m curious who it was. Prices will rise, as they always do.
However, if these narcotics were legalised, the large bosses’ profit margins would shrink!

I’m curious who is truly funding the anti-drug agenda.

Darknet drug markets are popular among Australians.

We have no idea what you’re referring to. Shoosh

The darknet drug markets sound like a terrifying, dreadful world. How do I get my hands on it? So, you know, I can keep as far away from it as possible.

The first step would be to not get a high-quality USB stick. Next, you should never use tails to authenticate an image. You should never, ever burn this ISO on a CD/DVD. Never restart your computer while the tails DVD is still in the drive. If you fell over and someone put the tails DVD in the disc and restarted your computer, never use the tails installer to instal tails on a decent quality USB stick that you did not purchase. You should never utilise the encrypted persistence option on your USB stick at this time.

If you later find yourself running tails from a USB stick you did not purchase, you should make sure TOR is running and never ever go to

But, seriously, if you have no idea what you’re doing, you should spend a lot of time reading and learning. If you perform this on the regular web, rather than TOR (as found in tails), your trail will be far more difficult to track.

That is all really needless. Download TOR, buy bitcoins, then connect to a VPN to get started. Tails is primarily used by sellers or political dissidents in North Korea and China.

Telling you that would almost certainly violate Reddit’s TOS. Duckduckgo is your pal. Will Australians be required to pay GST on medications purchased online?

Free trade! When someone talks about free trade, you know they wish to restrict commerce for their own advantage.

The DNMs are now in a poor situation, as most of the large marketplaces are continually down due to ddos attacks, and many sellers are pulling exit scams.

That is fair, however I feel that with more advanced setups and working more beneath the radar, this will resolve itself in due course.

It’s funny how many people want Evolution to return, even if it’s just to arrange another one-year con, because it was the most complex and tightly-run operation when it was up.

The War on Drugs and prohibition in general have done more harm than good.

I’m pleased to see these markets performing well, and I’m not surprised. I’ve heard of many people having positive experiences as a result of these marks; if only it were legal to prevent users from being cheated on occasion.

I hope we begin to view drugs as a medical issue rather than a legal one. I hope that the money spent on incarcerating people for nonviolent, victimless drug offences was instead invested on recovery centres and drug education. We would save money while keeping people free and protected.

Legalizing pharmaceuticals will also protect the purity of these compounds, preventing more harmful alternatives and designer medicines from stealing lives.

Leave a Reply