A typical evening for Circles.Life user Sim, 34, turned into a nightmare when she received an unexpected email containing a chat log between "her" and
A typical evening for Circles.Life user Sim, 34, turned into a nightmare when she received an unexpected email containing a chat log between “her” and a service agent—one that she hadn’t initiated. What followed was a tense battle against a “hacker” who gained access to her personal accounts.
Dec. 29: Gaining Entry On Dec. 29, Sim received an email showing a chat log between “her” and a Circles.Life service agent. The alarming part: Sim never initiated this conversation. In the chat, the impersonator claimed they couldn’t access their email to retrieve a one-time password (OTP) and needed help changing the email associated with the account.
A Circles.Life service agent then joined the conversation, requesting a security challenge to confirm the identity of “Sim.” Surprisingly, the impersonator easily provided Sim’s personal details, including her full NRIC number, which the agent requested only partially. With this information, the impersonator was granted the OTP, and the interaction ended without raising suspicion.
Dec. 30: Raising the Alarm The next day, Dec. 30, Sim contacted Circles.Life to escalate the issue and ensure no further changes could be made to her account. She emphasized that she had no intention of altering her account and urged them to flag any future suspicious activity.
Circles.Life assured her that they would investigate the matter and treat it seriously.
Jan. 2: Fraud Attempts On Jan. 2, Sim received another email from Circles.Life containing a new chat log showing a similar conversation with the impersonator, who once again managed to retrieve an OTP. Shortly after, Sim lost connection to her phone line—an indication that the hacker had activated an eSIM using her credentials.
While Sim was attempting to contact Circles.Life, her husband reached out to the telco via Facebook. Her phone line was eventually suspended, but not before the hacker accessed Sim’s Shopee account and attempted to top up her Shopee Pay wallet with S$500.
A Game of Cat and Mouse Sim and the hacker engaged in a back-and-forth struggle to reset her Shopee account password. After five failed attempts at accessing her Shopee Pay, the hacker was locked out, preventing further transactions. However, the damage was done—Sim lost S$6.99 from her GrabPay wallet and access to several of her online accounts.
Her husband attempted to communicate with the hacker via Sim’s compromised phone line. The hacker responded in Cyrillic script, taunting them and demanding US$300 (S$400). Communication continued briefly via email, but eventually, the hacker stopped attempting to gain further access to Sim’s accounts.
Aftermath and Frustrations Though the hacker didn’t make off with a large sum, the ordeal left Sim distressed. She had to take time off work, report the incident to the police, and deal with the fallout from the breach. Despite escalating the issue with Circles.Life on Dec. 30, the company didn’t prevent further attempts on Jan. 2.
Circles.Life offered Sim a 12-month free mobile subscription as “goodwill,” though Sim has not accepted the offer. She has since switched to another telco but is keeping the Circles.Life line active temporarily.
Circles.Life Responds In response to queries, a Circles.Life spokesperson stated that customer data safety is a “top priority” and assured that the company had taken immediate action to suspend the account and escalate the issue. They added that the company plans to create a dedicated Scam & Fraud taskforce to address future incidents more efficiently.
The Infocomm and Media Development Authority (IMDA) confirmed that investigations are ongoing.
Security Expert Weighs In Cybersecurity expert Aaron Ang clarified that the incident was a case of “social engineering” rather than hacking. The hacker manipulated Circles.Life’s service process by providing personal details to gain access to Sim’s account.
Ang suggested that providing OTPs via chat undermines security measures and recommended additional verification steps, such as Singpass integration, to enhance protection.
Sim’s case highlights the importance of safeguarding personal data and the need for stronger security measures by service providers.
COMMENTS