Carousell Group
Company Details
Linkedin ID:
carousellgroup
Website:
Employees number:
1,158
Number of followers:
79,255
NAICS:
5112
Industry Type:
Homepage:
carousell.com
IP Addresses:
0
Company ID:
CAR_1222142
Scan Status:
In-progress
Carousell Group Company CyberSecurity Posture
carousell.com
At Carousell, we believe in more than just buying and selling. We believe in the power of possibilities that people bring to the process. Through every buyer, seller and listing, we believe there’s opportunity beyond the transactional. Our mission is to inspire every person in the world to start selling and buying to make more possible for one another. Carousell was founded by Siu Rui, Lucas and Marcus back in August 2012 - whereby the focus is to give our users the tools to solve problems- whether it’s decluttering or earning side income- there are possibilities for everyone. We believe that technology is an enabler to solve meaningful problems at scale. We are crafting the most seamless user experience for people to sell what they don’t need and find what they need. Carousell Group is the leading multi-category platform for secondhand in Greater Southeast Asia on a mission to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in seven markets under the brands Carousell, Carousell Media Group, Cho Tot, Laku6, LuxLexicon, Mudah.my, OneShift, REFASH and Revo Financial, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments, 500 Global and Peak XV Partners (formerly known as Sequoia Capital India). We have offices across Southeast Asia, India, Taiwan and Hong Kong. As a team of passionate individuals working together to solve meaningful problems, there is so much more for you to discover in a career with Carousell.
Carousell Group A.I CyberSecurity Scoring
Carousell Group Risk Score (AI oriented)Between 650 and 699
Carousell Group
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Carousell Group Global Score (TPRM)XXXX
Carousell Group
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Carousell Group Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
Carousell Group
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A database of user accounts that were stolen from online marketplace Carousell was sold on the Dark Web and hacking forums. The database, which allegedly contained 2.6 million accounts’ information, is being sold for $1,000. The data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. Hackers also uploaded the 2GB database two days before Carousell confirmed the breach. The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and a number of followers.
Carousell Group
Data Leak
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Taipei, March 12 (CNA) During the past five weeks, the Criminal Investigation Bureau has found that Shopee and Carousell, two Singapore-based online marketplaces, have been the two C2C platforms where users have been most likely to fall for phishing scams (CIB). In order to undertake scams like canceling installment payment plans, the assaults were designed to obtain personal or company information from clients who used it to complete online transactions. According to the CIB, between June 2022 and February 2023, it notified seven ministries, including the MODA, the Ministry of Health and Welfare, the Ministry of Education, the Ministry of Economic Affairs, and the Ministry of Culture, about up to 100 e-commerce companies suspected of disclosing customer personal data.
Carousell Group Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Carousell Group
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Carousell Group in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Carousell Group in 2025.
Incident Types Carousell Group vs Software Development Industry Avg (This Year)
No incidents recorded for Carousell Group in 2025.
Incident History — Carousell Group (X = Date, Y = Severity)
Carousell Group cyber incidents detection timeline including parent company and subsidiaries
Carousell Group Company Subsidiaries
At Carousell, we believe in more than just buying and selling. We believe in the power of possibilities that people bring to the process. Through every buyer, seller and listing, we believe there’s opportunity beyond the transactional. Our mission is to inspire every person in the world to start selling and buying to make more possible for one another. Carousell was founded by Siu Rui, Lucas and Marcus back in August 2012 - whereby the focus is to give our users the tools to solve problems- whether it’s decluttering or earning side income- there are possibilities for everyone. We believe that technology is an enabler to solve meaningful problems at scale. We are crafting the most seamless user experience for people to sell what they don’t need and find what they need. Carousell Group is the leading multi-category platform for secondhand in Greater Southeast Asia on a mission to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in seven markets under the brands Carousell, Carousell Media Group, Cho Tot, Laku6, LuxLexicon, Mudah.my, OneShift, REFASH and Revo Financial, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments, 500 Global and Peak XV Partners (formerly known as Sequoia Capital India). We have offices across Southeast Asia, India, Taiwan and Hong Kong. As a team of passionate individuals working together to solve meaningful problems, there is so much more for you to discover in a career with Carousell.
Loading...
Carousell Group Similar Companies
GlobalLogic
GlobalLogic, a Hitachi Group company, is a trusted partner in design, data, and digital engineering for the world’s largest and most innovative companies. Since our inception in 2000, we have been at the forefront of the digital revolution, helping to create some of the most widely used digital prod
Xiaomi Technology
Xiaomi Corporation was founded in April 2010 and listed on the Main Board of the Hong Kong Stock Exchange on July 9, 2018 (1810.HK). Xiaomi is a consumer electronics and smart manufacturing company with smartphones and smart hardware connected by an IoT platform at its core. Embracing our vision
VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the world’s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps an
Bosch USA
The Bosch Group’s strategic objective is to create solutions for a connected life. Bosch improves quality of life worldwide with innovative products and services that are "Invented for life" and spark enthusiasm. Podcast: http://bit.ly/beyondbosch Imprint: https://www.bosch.us/corporate-informatio
Epic
Join us in our mission to help the world get well, help the world stay well, and help future generations be healthier. We hire smart and motivated people from all academic majors to code, test, and implement healthcare software that hundreds of millions of patients and doctors rely on to improve ca
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Grab
Grab is Southeast Asia’s leading superapp, offering a suite of services consisting of deliveries, mobility, financial services, enterprise and others. Grabbers come from all over the world, and we are united by a common mission: to drive Southeast Asia forward by creating economic empowerment for ev
At Bolt, we're building a future where people don’t need to own personal cars to move around safely and conveniently. A future where people have the freedom to use transport on demand, choosing whatever vehicle's best for each occasion — be it a car, scooter, or e-bike. We're helping over 200 mill
.png)
Carousell Group CyberSecurity News
July 31, 2025 01:17 AM
Carousell latest feature uses AI to help you sell better
The online classifieds marketplace launches a new feature called “Smart Listings” to help you sell better.
December 17, 2024 08:00 AM
Hong Kong police warn online selling platform Carousell being used for scams
Hong Kong police have warned residents about scammers posing as customers on the popular online retail platform Carousell, with 644 cases involving HK$36...
April 02, 2024 07:00 AM
Deals in brief: Alterno secures funding, Ant Group pumps SGD 200 million into Anext Bank, Carousell acquires LuxLexicon, and more
Alterno, a Vietnamese developer of sand batteries, has secured over USD 1.5 million in a seed funding round jointly led by The Radical Fund and Touchstone...
December 14, 2023 08:00 AM
Carousell Group Releases First-of-its-kind Circular Economy Impact Report Showing Positive Climate Impact from Secondhand Transactions in Greater Southeast Asia
The Group's user community avoided 116577 tonnes of carbon emissions in four goods categories in 2022, the equivalent to 5.3 million trees...
April 19, 2023 07:00 AM
Property firm OrangeTee & Tie fined $37k for data breach affecting over 250,000 customers, staff
Data including names, bank account numbers and NRIC numbers were extracted from outdated servers. Read more at straitstimes.com.
December 31, 2022 08:00 AM
Major data breaches in Malaysia in the past 24 months
Malaysians have been hit with yet another data breach. This time involving a banking institution, multimedia and broadcast agency and a government electoral...
October 08, 2021 07:00 AM
Deals of the week: Temasek bets on cybersecurity; ESOP startup bags US$15m
THESE tech deals made headlines in the past week: Orca Security Date announced: Oct 6 What it does: Cloud security Headquarters: Israel...
May 05, 2021 07:00 AM
Founded by former Carousell and Fave execs, Rainforest gets $36M to consolidate Asia-Pacific Amazon Marketplace brands
Singapore-based Rainforest is one of the newest entrants in the wave of startups that “roll-up” small e-commerce brands.
November 25, 2019 08:00 AM
Telenor Group Mergers its Online Classifieds Business 701Search with Carousell
Telenor Group announced a merger between its online classifieds business, 701Search, and Carousell, one of Asia's largest and.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Carousell Group CyberSecurity History Information
Official Website of Carousell Group
The official website of Carousell Group is http://careers.carousell.com/.
Carousell Group’s AI-Generated Cybersecurity Score
According to Rankiteo, Carousell Group’s AI-generated cybersecurity score is 690, reflecting their Weak security posture.
How many security badges does Carousell Group’ have ?
According to Rankiteo, Carousell Group currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Carousell Group have SOC 2 Type 1 certification ?
According to Rankiteo, Carousell Group is not certified under SOC 2 Type 1.
Does Carousell Group have SOC 2 Type 2 certification ?
According to Rankiteo, Carousell Group does not hold a SOC 2 Type 2 certification.
Does Carousell Group comply with GDPR ?
According to Rankiteo, Carousell Group is not listed as GDPR compliant.
Does Carousell Group have PCI DSS certification ?
According to Rankiteo, Carousell Group does not currently maintain PCI DSS compliance.
Does Carousell Group comply with HIPAA ?
According to Rankiteo, Carousell Group is not compliant with HIPAA regulations.
Does Carousell Group have ISO 27001 certification ?
According to Rankiteo,Carousell Group is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Carousell Group
Carousell Group operates primarily in the Software Development industry.
Number of Employees at Carousell Group
Carousell Group employs approximately 1,158 people worldwide.
Subsidiaries Owned by Carousell Group
Carousell Group presently has no subsidiaries across any sectors.
Carousell Group’s LinkedIn Followers
Carousell Group’s official LinkedIn profile has approximately 79,255 followers.
NAICS Classification of Carousell Group
Carousell Group is classified under the NAICS code 5112, which corresponds to Software Publishers.
Carousell Group’s Presence on Crunchbase
No, Carousell Group does not have a profile on Crunchbase.
Carousell Group’s Presence on LinkedIn
Yes, Carousell Group maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/carousellgroup.
Cybersecurity Incidents Involving Carousell Group
As of December 04, 2025, Rankiteo reports that Carousell Group has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Carousell Group has an estimated 27,201 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Carousell Group ?
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak and Breach.
Incident Details
Can you provide details on each incident ?
Title: Carousell Data Breach
Description: A database of user accounts that were stolen from online marketplace Carousell was sold on the Dark Web and hacking forums. The database, which allegedly contained 2.6 million accounts’ information, is being sold for $1,000. The data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. Hackers also uploaded the 2GB database two days before Carousell confirmed the breach. The leak contains victims’ usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation and a number of followers.
Type: Data Breach
Attack Vector: System Migration Bug
Vulnerability Exploited: System Migration Bug
Motivation: Financial Gain
Title: Phishing Scams on Shopee and Carousell
Description: Phishing scams on Shopee and Carousell platforms designed to obtain personal or company information to cancel installment payment plans.
Date Detected: 2022-06-01
Date Publicly Disclosed: 2023-03-12
Type: Phishing
Attack Vector: Phishing emails or messages
Vulnerability Exploited: User trust in online platforms
Threat Actor: Unknown
Motivation: Financial gain
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Phishing emails or messages.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach CAR1831122
Data Compromised: Usernames, First and last names, E-mail addresses, Mobile phone numbers, Country of origin, Date of account creation, Number of followers
Incident : Phishing CAR21412323
Data Compromised: Personal and company information
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Usernames, First And Last Names, E-Mail Addresses, Mobile Phone Numbers, Country Of Origin, Date Of Account Creation, Number Of Followers, and Personal and company information.
Which entities were affected by each incident ?
Incident : Data Breach CAR1831122
Entity Name: Carousell
Entity Type: Online Marketplace
Industry: E-commerce
Customers Affected: 2.6 million
Incident : Phishing CAR21412323
Entity Name: Shopee
Entity Type: E-commerce
Industry: Retail
Location: Singapore
Incident : Phishing CAR21412323
Entity Name: Carousell
Entity Type: E-commerce
Industry: Retail
Location: Singapore
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Phishing CAR21412323
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach CAR1831122
Type of Data Compromised: Usernames, First and last names, E-mail addresses, Mobile phone numbers, Country of origin, Date of account creation, Number of followers
Number of Records Exposed: 2.6 million
Sensitivity of Data: Medium
Incident : Phishing CAR21412323
Type of Data Compromised: Personal and company information
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Phishing CAR21412323
References
Where can I find more information about each incident ?
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CNADate Accessed: 2023-03-12.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Phishing CAR21412323
Entry Point: Phishing emails or messages
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach CAR1831122
Root Causes: System Migration Bug
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Unknown.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2022-06-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-03-12.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were usernames, first and last names, e-mail addresses, mobile phone numbers, country of origin, date of account creation, number of followers, and Personal and company information.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were usernames, first and last names, mobile phone numbers, Personal and company information, date of account creation, e-mail addresses, number of followers and country of origin.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 2.6M.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is CNA.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Phishing emails or messages.
.png)
Latest Global CVEs (Not Company-Specific)
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Risk Information
cvss3
Base: 6.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
Description
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Risk Information
cvss4
Base: 9.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Risk Information
cvss4
Base: 5.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=carousellgroup' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
