More than 1500 SingPass accounts id and passwords may have been accessed without the owner’s permission. SingPass operator, Crimson Logic, informed The Infocomm Development Authority of Singapore (IDA) on Monday that a number of users had received a SingPass password reset notification letter even though they did not request to change their password.
For the uninitiated, SingPass is a single-factor authentification system for all government e-services in Singapore. SingPass covers more than 340 e-services for 64 government agencies such as CPF, IRAS and Mindef. SingPass has 3.3 million users and had processed 57 million transactions in 2013.
Preliminary investigations show that 1560 SingPass user id and passwords were potentially accessed. 419 of them had their password reset. The password reset notification letters were sent to the registered address of the SingPass account holders.
Passwords of all affected users have been reset, and the IDA is in the process of notifying them. A police report was file on Tuesday by IDA.
IDA said that investigations so far show there is no evidence to suggest the SingPass system has been compromised. But if that is the case, then how did someone managed to trigger password reset for 419 accounts? Hopefully IDA and Crimson Logic can finish their investigation soon and stop this from happening again.
By the way, usually when there is a hack, I would recommend everyone to change their password. But for this case, I don’t know if changing your password will help or not. It seems like someone managed to change the registered mobile number in the system for 2FA and used that to reset the password. Changing your SingPass password does not do anything unless your account has been compromised.